Bug 1181167 (CVE-2015-5700, CVE-2015-5701) - CVE-2015-5700 CVE-2015-5701 texlive: insecure use of /tmp in mktexlsr
Summary: CVE-2015-5700 CVE-2015-5701 texlive: insecure use of /tmp in mktexlsr
Status: CLOSED WONTFIX
Alias: CVE-2015-5700, CVE-2015-5701
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150111,reported=2...
Keywords: Security
Depends On: 1181169
Blocks: 1225847
TreeView+ depends on / blocked
 
Reported: 2015-01-12 14:11 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:21 UTC (History)
2 users (show)

(edit)
It was discovered that the mktexlsr script of the texlive package creates temporary files in an insecure way. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running mktexslr, or obtain sensitive information from the temporary files.
Clone Of:
(edit)
Last Closed: 2015-09-23 11:07:16 UTC


Attachments (Terms of Use)
mktexlsr.patch (334 bytes, text/plain)
2015-01-12 14:12 UTC, Vasyl Kaigorodov
no flags Details

Description Vasyl Kaigorodov 2015-01-12 14:11:20 UTC
It was reported [1] that mktexlsr script uses /tmp in an insecure way.
Part of original report:
...
This is how mktexlsr uses temporary files (with boring parts snipped):

treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo "$1" >>"$treefile"; then :; else
     echo "$progname: $treefile: could not append to arg file, goodbye." >&2
     exit 1
   fi
   # ...
done


This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 
exists.
...

Suggested patch is attached.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139

Comment 1 Vasyl Kaigorodov 2015-01-12 14:12:36 UTC
Created attachment 979176 [details]
mktexlsr.patch

Comment 2 Vasyl Kaigorodov 2015-01-12 14:13:02 UTC
Created texlive tracking bugs for this issue:

Affects: fedora-all [bug 1181169]

Comment 3 Ngo Than 2015-04-01 13:16:45 UTC
do we have CVE id for this bug?

Comment 4 Fedora Update System 2015-05-10 23:38:05 UTC
texlive-2014-8.20140525_r34255.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-05-12 20:38:02 UTC
texlive-2014-7.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vasyl Kaigorodov 2015-07-28 15:00:34 UTC
(In reply to Ngo Than from comment #3)
> do we have CVE id for this bug?

Have just requested one on oss-security. This BZ will be updated with the CVE ID once it's assigned.
This is how upstream fixed it:

--- texlive-bin.orig/texk/kpathsea/mktexlsr
+++ texlive-bin/texk/kpathsea/mktexlsr
@@ -73,7 +73,7 @@
 dry_run=false
 trees=

-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
+treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1

Comment 7 Martin Prpič 2015-07-30 14:47:28 UTC
MITRE assigned two CVEs, details here:

http://seclists.org/oss-sec/2015/q3/250

Comment 8 Vasyl Kaigorodov 2015-08-04 14:11:36 UTC
To clear things up.

CVE-2015-5700 is for the issue introduced by this commit (lines 69-72):
http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885

It looks like later at some point this was fixed to use "mktemp --tmpdir" (commit unknown), and CVE-2015-5701 was assigned to the issue introduced by this commit:
http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=36626&r2=36855

Comment 9 Stefan Cornelius 2015-08-06 13:05:53 UTC
Looks like this was introduced via:
http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885

Texlive for RHEL6 does not have this change yet and is not vulnerable.
Texlive for RHEL7, however, ships with this change and is vulnerable.


Note You need to log in before you can comment on or make changes to this bug.