This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1181167 - (CVE-2015-5700, CVE-2015-5701) CVE-2015-5700 CVE-2015-5701 texlive: insecure use of /tmp in mktexlsr
CVE-2015-5700 CVE-2015-5701 texlive: insecure use of /tmp in mktexlsr
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150111,reported=2...
: Security
Depends On: 1181169
Blocks: 1225847
  Show dependency treegraph
 
Reported: 2015-01-12 09:11 EST by Vasyl Kaigorodov
Modified: 2015-11-24 08:03 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the mktexlsr script of the texlive package creates temporary files in an insecure way. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running mktexslr, or obtain sensitive information from the temporary files.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-23 07:07:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
mktexlsr.patch (334 bytes, text/plain)
2015-01-12 09:12 EST, Vasyl Kaigorodov
no flags Details

  None (edit)
Description Vasyl Kaigorodov 2015-01-12 09:11:20 EST
It was reported [1] that mktexlsr script uses /tmp in an insecure way.
Part of original report:
...
This is how mktexlsr uses temporary files (with boring parts snipped):

treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo "$1" >>"$treefile"; then :; else
     echo "$progname: $treefile: could not append to arg file, goodbye." >&2
     exit 1
   fi
   # ...
done


This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 
exists.
...

Suggested patch is attached.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139
Comment 1 Vasyl Kaigorodov 2015-01-12 09:12:36 EST
Created attachment 979176 [details]
mktexlsr.patch
Comment 2 Vasyl Kaigorodov 2015-01-12 09:13:02 EST
Created texlive tracking bugs for this issue:

Affects: fedora-all [bug 1181169]
Comment 3 Ngo Than 2015-04-01 09:16:45 EDT
do we have CVE id for this bug?
Comment 4 Fedora Update System 2015-05-10 19:38:05 EDT
texlive-2014-8.20140525_r34255.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-05-12 16:38:02 EDT
texlive-2014-7.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vasyl Kaigorodov 2015-07-28 11:00:34 EDT
(In reply to Ngo Than from comment #3)
> do we have CVE id for this bug?

Have just requested one on oss-security. This BZ will be updated with the CVE ID once it's assigned.
This is how upstream fixed it:

--- texlive-bin.orig/texk/kpathsea/mktexlsr
+++ texlive-bin/texk/kpathsea/mktexlsr
@@ -73,7 +73,7 @@
 dry_run=false
 trees=

-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
+treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
Comment 7 Martin Prpič 2015-07-30 10:47:28 EDT
MITRE assigned two CVEs, details here:

http://seclists.org/oss-sec/2015/q3/250
Comment 8 Vasyl Kaigorodov 2015-08-04 10:11:36 EDT
To clear things up.

CVE-2015-5700 is for the issue introduced by this commit (lines 69-72):
http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885

It looks like later at some point this was fixed to use "mktemp --tmpdir" (commit unknown), and CVE-2015-5701 was assigned to the issue introduced by this commit:
http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=36626&r2=36855
Comment 9 Stefan Cornelius 2015-08-06 09:05:53 EDT
Looks like this was introduced via:
http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885

Texlive for RHEL6 does not have this change yet and is not vulnerable.
Texlive for RHEL7, however, ships with this change and is vulnerable.

Note You need to log in before you can comment on or make changes to this bug.