Red Hat Bugzilla – Bug 43342
race condition - possible elevation of privs
Last modified: 2007-04-18 12:33:33 EDT
bash# rpm -qf /usr/bin/mktexlsr
This program handles temporary files insecurely.
If the file /var/lib/texmf/ls-R doesn't exist (as it won't in a
new install, or if the file hasn't been accessed in 90 days
(/etc/cron.daily/tetex.cron cleans the directory, although the comment
claims it will be 10 days. (comments should be kept consistant with
reality, otherwise there is no point in them being there. )))
if LPRng is installed, an exploit can be run that will allow changing the
configuration of the printer daemon.
As this program is executed by LPRng it is possible to gain access
with whatever perms the daemon runs with.
(This (at time of writing) included all the groups root is in, due to
the daemon failing to drop permissions properly. (bugzilla id 43341))
In rawhide's tetex-1.0.7-18 package is the following patch, which closes a lot
of temporary file handling problems.
Created attachment 20173 [details]
Fix temporary file handling in tetex scripts
Is there going to be an errata release? or is this just going to lie about being