A flaw was found in the pre-install script of texlive-base package derived from texlive package. This flaw allows unprivileged user to remove arbitrary files on the system. ~ rpm -qa texlive-base --scripts preinstall scriptlet (using /bin/sh): rm -rf /usr/share/texlive/texmf-var rm -rf /var/lib/texmf/* # Following script in the preinstall scriplet allows attacker to remove arbitrary files on the systems for i in `find /home/*/.texlive* -type d -prune`; do find $i -name *.fmt -type f | xargs rm -f > /dev/null 2>&1 done ... Attacker can create a malicious file in his $HOME directory that would trigger file removal and wait for the texlive-base package to be updated by administrator, as when package will be updated it would run preinstall scriplet which would then run malicious file in attacker $HOME directory as privileged user. Reproducer and more information: https://bugzilla.redhat.com/show_bug.cgi?id=1099238
Created texlive tracking bugs for this issue: Affects: fedora-all [bug 1197084]
Patch ===== I suppose this is the patch http://pkgs.fedoraproject.org/cgit/texlive.git/commit/?id=7fea493a0dfcd6e42329347cab50eb2ecdc0b69b
it's already fixed in texlive-2013-6.20131226_r32488.fc20, texlive-2014-3.1.20140525_r34255.fc21
texlive-2013-6.20131226_r32488.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
texlive-2014-3.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.