Bug 1197082 (CVE-2015-0296) - CVE-2015-0296 texlive rpm scriptlet allows unprivileged user to delete arbitrary files
Summary: CVE-2015-0296 texlive rpm scriptlet allows unprivileged user to delete arbitr...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-0296
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140519,repor...
Depends On: 1197084
Blocks: 1196300
TreeView+ depends on / blocked
 
Reported: 2015-02-27 13:12 UTC by Siddharth Sharma
Modified: 2019-06-08 20:27 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-29 20:43:22 UTC


Attachments (Terms of Use)

Description Siddharth Sharma 2015-02-27 13:12:35 UTC
A flaw was found in the pre-install script of texlive-base package derived from
texlive package. This flaw allows unprivileged user to remove arbitrary files 
on the system.

~ rpm -qa texlive-base --scripts
preinstall scriptlet (using /bin/sh):
rm -rf /usr/share/texlive/texmf-var
rm -rf /var/lib/texmf/*

# Following script in the preinstall scriplet allows attacker to remove arbitrary
files on the systems
for i in `find /home/*/.texlive* -type d -prune`; do
find $i -name *.fmt -type f | xargs rm -f > /dev/null 2>&1
done
...

Attacker can create a malicious file in his $HOME directory that would trigger
file removal and wait for the texlive-base package to be updated by administrator,
as when package will be updated it would run preinstall scriplet which would then
run malicious file in attacker $HOME directory as privileged user.

Reproducer and more information:

https://bugzilla.redhat.com/show_bug.cgi?id=1099238

Comment 1 Siddharth Sharma 2015-02-27 13:15:24 UTC
Created texlive tracking bugs for this issue:

Affects: fedora-all [bug 1197084]

Comment 2 Siddharth Sharma 2015-02-27 13:27:23 UTC
Patch
=====

I suppose this is the patch

http://pkgs.fedoraproject.org/cgit/texlive.git/commit/?id=7fea493a0dfcd6e42329347cab50eb2ecdc0b69b

Comment 3 Ngo Than 2015-04-01 11:55:26 UTC
it's already fixed in texlive-2013-6.20131226_r32488.fc20, texlive-2014-3.1.20140525_r34255.fc21

Comment 4 Fedora Update System 2015-04-02 15:36:35 UTC
texlive-2013-6.20131226_r32488.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-04-08 06:55:33 UTC
texlive-2014-3.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.