Red Hat Bugzilla – Bug 1181167
CVE-2015-5700 CVE-2015-5701 texlive: insecure use of /tmp in mktexlsr
Last modified: 2015-11-24 08:03:23 EST
It was reported  that mktexlsr script uses /tmp in an insecure way.
Part of original report:
This is how mktexlsr uses temporary files (with boring parts snipped):
while test $# -gt 0; do
if echo "$1" >>"$treefile"; then :; else
echo "$progname: $treefile: could not append to arg file, goodbye." >&2
This is insecure because the filename is predictable and, more
importantly, the program doesn't fail atomically if the file already
Suggested patch is attached.
Created attachment 979176 [details]
Created texlive tracking bugs for this issue:
Affects: fedora-all [bug 1181169]
do we have CVE id for this bug?
texlive-2014-8.20140525_r34255.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
texlive-2014-7.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Ngo Than from comment #3)
> do we have CVE id for this bug?
Have just requested one on oss-security. This BZ will be updated with the CVE ID once it's assigned.
This is how upstream fixed it:
@@ -73,7 +73,7 @@
+treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
MITRE assigned two CVEs, details here:
To clear things up.
CVE-2015-5700 is for the issue introduced by this commit (lines 69-72):
It looks like later at some point this was fixed to use "mktemp --tmpdir" (commit unknown), and CVE-2015-5701 was assigned to the issue introduced by this commit:
Looks like this was introduced via:
Texlive for RHEL6 does not have this change yet and is not vulnerable.
Texlive for RHEL7, however, ships with this change and is vulnerable.