A flaw was found in the pre-install script of texlive-base package derived from
texlive package. This flaw allows unprivileged user to remove arbitrary files
on the system.
~ rpm -qa texlive-base --scripts
preinstall scriptlet (using /bin/sh):
rm -rf /usr/share/texlive/texmf-var
rm -rf /var/lib/texmf/*
# Following script in the preinstall scriplet allows attacker to remove arbitrary
files on the systems
for i in `find /home/*/.texlive* -type d -prune`; do
find $i -name *.fmt -type f | xargs rm -f > /dev/null 2>&1
Attacker can create a malicious file in his $HOME directory that would trigger
file removal and wait for the texlive-base package to be updated by administrator,
as when package will be updated it would run preinstall scriplet which would then
run malicious file in attacker $HOME directory as privileged user.
Reproducer and more information:
Created texlive tracking bugs for this issue:
Affects: fedora-all [bug 1197084]
I suppose this is the patch
it's already fixed in texlive-2013-6.20131226_r32488.fc20, texlive-2014-3.1.20140525_r34255.fc21
texlive-2013-6.20131226_r32488.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
texlive-2014-3.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.