Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 43342 - race condition - possible elevation of privs
race condition - possible elevation of privs
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: tetex (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-03 07:37 EDT by Need Real Name
Modified: 2007-04-18 12:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-01 08:20:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix temporary file handling in tetex scripts (6.89 KB, patch)
2001-06-03 09:59 EDT, Tim Waugh
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:102 normal SHIPPED_LIVE : New teTeX packages available 2001-08-22 00:00:00 EDT

  None (edit)
Description Need Real Name 2001-06-03 07:37:28 EDT
bash# rpm -qf /usr/bin/mktexlsr
tetex-1.0.7-7

This program handles temporary files insecurely. 

If the file /var/lib/texmf/ls-R doesn't exist (as it won't in a
new install, or if the file hasn't been accessed in 90 days
(/etc/cron.daily/tetex.cron cleans the directory, although the comment
claims it will be 10 days. (comments should be kept consistant with
reality, otherwise there is no point in them being there. ))) 

if LPRng is installed, an exploit can be run that will allow changing the
configuration of the printer daemon.

As this program is executed by LPRng it is possible to gain access 
with whatever perms the daemon runs with. 
(This (at time of writing) included all the groups root is in, due to
the daemon failing to drop permissions properly. (bugzilla id 43341))
Comment 1 Tim Waugh 2001-06-03 09:57:30 EDT
In rawhide's tetex-1.0.7-18 package is the following patch, which closes a lot 
of temporary file handling problems.
Comment 2 Tim Waugh 2001-06-03 09:59:20 EDT
Created attachment 20173 [details]
Fix temporary file handling in tetex scripts
Comment 3 Need Real Name 2001-07-01 08:20:16 EDT
Is there going to be an errata release? or is this just going to lie about being
exploitable forever?

Note You need to log in before you can comment on or make changes to this bug.