Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 43342

Summary: race condition - possible elevation of privs
Product: [Retired] Red Hat Linux Reporter: Need Real Name <empathy>
Component: tetexAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: jarno.huuskonen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-07-01 12:20:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix temporary file handling in tetex scripts none

Description Need Real Name 2001-06-03 11:37:28 UTC 
bash# rpm -qf /usr/bin/mktexlsr
tetex-1.0.7-7

This program handles temporary files insecurely. 

If the file /var/lib/texmf/ls-R doesn't exist (as it won't in a
new install, or if the file hasn't been accessed in 90 days
(/etc/cron.daily/tetex.cron cleans the directory, although the comment
claims it will be 10 days. (comments should be kept consistant with
reality, otherwise there is no point in them being there. ))) 

if LPRng is installed, an exploit can be run that will allow changing the
configuration of the printer daemon.

As this program is executed by LPRng it is possible to gain access 
with whatever perms the daemon runs with. 
(This (at time of writing) included all the groups root is in, due to
the daemon failing to drop permissions properly. (bugzilla id 43341))
Comment 1 Tim Waugh 2001-06-03 13:57:30 UTC 
In rawhide's tetex-1.0.7-18 package is the following patch, which closes a lot 
of temporary file handling problems.
Comment 2 Tim Waugh 2001-06-03 13:59:20 UTC 
Created attachment 20173 [details]
Fix temporary file handling in tetex scripts
Comment 3 Need Real Name 2001-07-01 12:20:16 UTC 
Is there going to be an errata release? or is this just going to lie about being
exploitable forever?