It was reported [1] that mktexlsr script uses /tmp in an insecure way. Part of original report: ... This is how mktexlsr uses temporary files (with boring parts snipped): treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp" # ... while test $# -gt 0; do # ... (umask 077 if echo "$1" >>"$treefile"; then :; else echo "$progname: $treefile: could not append to arg file, goodbye." >&2 exit 1 fi # ... done This is insecure because the filename is predictable and, more importantly, the program doesn't fail atomically if the file already exists. ... Suggested patch is attached. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139
Created attachment 979176 [details] mktexlsr.patch
Created texlive tracking bugs for this issue: Affects: fedora-all [bug 1181169]
do we have CVE id for this bug?
texlive-2014-8.20140525_r34255.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
texlive-2014-7.1.20140525_r34255.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Ngo Than from comment #3) > do we have CVE id for this bug? Have just requested one on oss-security. This BZ will be updated with the CVE ID once it's assigned. This is how upstream fixed it: --- texlive-bin.orig/texk/kpathsea/mktexlsr +++ texlive-bin/texk/kpathsea/mktexlsr @@ -73,7 +73,7 @@ dry_run=false trees= -treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp" +treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
MITRE assigned two CVEs, details here: http://seclists.org/oss-sec/2015/q3/250
To clear things up. CVE-2015-5700 is for the issue introduced by this commit (lines 69-72): http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885 It looks like later at some point this was fixed to use "mktemp --tmpdir" (commit unknown), and CVE-2015-5701 was assigned to the issue introduced by this commit: http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=36626&r2=36855
Looks like this was introduced via: http://tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885 Texlive for RHEL6 does not have this change yet and is not vulnerable. Texlive for RHEL7, however, ships with this change and is vulnerable.