The texindex command uses predictable temporary filenames. This could allow a rogue local user to create a symlink which would cause texindex to overwrite various files the user running texindex has write access to. There is more informatin in the Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328365 No patch exists yet. This issue seems to be mitigated by the fact that texindex will only use a temporary file when the file being processed is over 50,000 lines.
This issue should also affect RHEL2.1 and RHEL3
Hmm, not sure which patch to use. The patch given here: http://patches.ubuntu.com/patches/texinfo.CAN-2005-3011.diff seems to cause an error in my testing. This short script: >input.cp for i in $(seq 1 50001) do echo '\entry{foo}{1}{foo}' >>input.cp done texindex input.cp produces: /tmp/txidxHECDeb.3: File exists Continuing investigation.
Okay, Norbert Preining's texinfo-race-fix.diff is the one to use.
I'd like to defer this to a future ASYNC update rather than RHEL4U3. If we do this update for RHEL4U3 we also have to do an update for RHEL3U7 and an ASYNC update for RHEL2.1.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0727.html