Bug 1197082 (CVE-2015-0296)

Summary: CVE-2015-0296 texlive rpm scriptlet allows unprivileged user to delete arbitrary files
Product: [Other] Security Response Reporter: Siddharth Sharma <sisharma>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, novyjindrich, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-29 20:43:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1197084    
Bug Blocks: 1196300    

Description Siddharth Sharma 2015-02-27 13:12:35 UTC 
A flaw was found in the pre-install script of texlive-base package derived from
texlive package. This flaw allows unprivileged user to remove arbitrary files 
on the system.

~ rpm -qa texlive-base --scripts
preinstall scriptlet (using /bin/sh):
rm -rf /usr/share/texlive/texmf-var
rm -rf /var/lib/texmf/*

# Following script in the preinstall scriplet allows attacker to remove arbitrary
files on the systems
for i in `find /home/*/.texlive* -type d -prune`; do
find $i -name *.fmt -type f | xargs rm -f > /dev/null 2>&1
done
...

Attacker can create a malicious file in his $HOME directory that would trigger
file removal and wait for the texlive-base package to be updated by administrator,
as when package will be updated it would run preinstall scriplet which would then
run malicious file in attacker $HOME directory as privileged user.

Reproducer and more information:

https://bugzilla.redhat.com/show_bug.cgi?id=1099238
Comment 1 Siddharth Sharma 2015-02-27 13:15:24 UTC 
Created texlive tracking bugs for this issue:

Affects: fedora-all [bug 1197084]
Comment 2 Siddharth Sharma 2015-02-27 13:27:23 UTC 
Patch
=====

I suppose this is the patch

http://pkgs.fedoraproject.org/cgit/texlive.git/commit/?id=7fea493a0dfcd6e42329347cab50eb2ecdc0b69b
Comment 3 Than Ngo 2015-04-01 11:55:26 UTC 
it's already fixed in texlive-2013-6.20131226_r32488.fc20, texlive-2014-3.1.20140525_r34255.fc21
Comment 4 Fedora Update System 2015-04-02 15:36:35 UTC 
texlive-2013-6.20131226_r32488.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-04-08 06:55:33 UTC 
texlive-2014-3.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.