Bug 43342 - race condition - possible elevation of privs
Summary: race condition - possible elevation of privs
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tetex   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-06-03 11:37 UTC by Need Real Name
Modified: 2007-04-18 16:33 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-07-01 12:20:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix temporary file handling in tetex scripts (6.89 KB, patch)
2001-06-03 13:59 UTC, Tim Waugh
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:102 normal SHIPPED_LIVE : New teTeX packages available 2001-08-22 04:00:00 UTC

Description Need Real Name 2001-06-03 11:37:28 UTC
bash# rpm -qf /usr/bin/mktexlsr

This program handles temporary files insecurely. 

If the file /var/lib/texmf/ls-R doesn't exist (as it won't in a
new install, or if the file hasn't been accessed in 90 days
(/etc/cron.daily/tetex.cron cleans the directory, although the comment
claims it will be 10 days. (comments should be kept consistant with
reality, otherwise there is no point in them being there. ))) 

if LPRng is installed, an exploit can be run that will allow changing the
configuration of the printer daemon.

As this program is executed by LPRng it is possible to gain access 
with whatever perms the daemon runs with. 
(This (at time of writing) included all the groups root is in, due to
the daemon failing to drop permissions properly. (bugzilla id 43341))

Comment 1 Tim Waugh 2001-06-03 13:57:30 UTC
In rawhide's tetex-1.0.7-18 package is the following patch, which closes a lot 
of temporary file handling problems.

Comment 2 Tim Waugh 2001-06-03 13:59:20 UTC
Created attachment 20173 [details]
Fix temporary file handling in tetex scripts

Comment 3 Need Real Name 2001-07-01 12:20:16 UTC
Is there going to be an errata release? or is this just going to lie about being
exploitable forever?

Note You need to log in before you can comment on or make changes to this bug.