Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1197082 - (CVE-2015-0296) CVE-2015-0296 texlive rpm scriptlet allows unprivileged user to delete arbitrary files
CVE-2015-0296 texlive rpm scriptlet allows unprivileged user to delete arbitr...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140519,repor...
: Security
Depends On: 1197084
Blocks: 1196300
  Show dependency treegraph
 
Reported: 2015-02-27 08:12 EST by Siddharth Sharma
Modified: 2015-10-30 07:54 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-29 16:43:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Siddharth Sharma 2015-02-27 08:12:35 EST 
A flaw was found in the pre-install script of texlive-base package derived from
texlive package. This flaw allows unprivileged user to remove arbitrary files 
on the system.

~ rpm -qa texlive-base --scripts
preinstall scriptlet (using /bin/sh):
rm -rf /usr/share/texlive/texmf-var
rm -rf /var/lib/texmf/*

# Following script in the preinstall scriplet allows attacker to remove arbitrary
files on the systems
for i in `find /home/*/.texlive* -type d -prune`; do
find $i -name *.fmt -type f | xargs rm -f > /dev/null 2>&1
done
...

Attacker can create a malicious file in his $HOME directory that would trigger
file removal and wait for the texlive-base package to be updated by administrator,
as when package will be updated it would run preinstall scriplet which would then
run malicious file in attacker $HOME directory as privileged user.

Reproducer and more information:

https://bugzilla.redhat.com/show_bug.cgi?id=1099238
Comment 1 Siddharth Sharma 2015-02-27 08:15:24 EST 
Created texlive tracking bugs for this issue:

Affects: fedora-all [bug 1197084]
Comment 2 Siddharth Sharma 2015-02-27 08:27:23 EST 
Patch
=====

I suppose this is the patch

http://pkgs.fedoraproject.org/cgit/texlive.git/commit/?id=7fea493a0dfcd6e42329347cab50eb2ecdc0b69b
Comment 3 Ngo Than 2015-04-01 07:55:26 EDT 
it's already fixed in texlive-2013-6.20131226_r32488.fc20, texlive-2014-3.1.20140525_r34255.fc21
Comment 4 Fedora Update System 2015-04-02 11:36:35 EDT 
texlive-2013-6.20131226_r32488.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-04-08 02:55:33 EDT 
texlive-2014-3.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.