To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mktexlsr: insecure use of /tmp
Date: Sun, 11 Jan 2015 22:52:57 +0100
Package: texlive-binaries
Version: 2014.20140926.35254-4
Tags: security
This is how mktexlsr uses temporary files (with boring parts snipped):
treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
# ...
while test $# -gt 0; do
# ...
(umask 077
if echo "$1" >>"$treefile"; then :; else
echo "$progname: $treefile: could not append to arg file, goodbye." >&2
exit 1
fi
# ...
done
This is insecure because the filename is predictable and, more
importantly, the program doesn't fail atomically if the file already
exists.
Please use mktemp(1) for creating temporary files.
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>: Bug#775139; Package texlive-binaries.
(Mon, 12 Jan 2015 13:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Preining <preining@logic.at>:
Extra info received and forwarded to list. Copy sent to Debian TeX Maintainers <debian-tex-maint@lists.debian.org>.
(Mon, 12 Jan 2015 13:21:05 GMT) (full text, mbox, link).
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Mon, 12 Jan 2015 15:48:49 +0100
Hi Norbert!
Thanks for the quick reply.
* Norbert Preining <preining@logic.at>, 2015-01-12, 22:18:
>> treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
>>[...]
>> Please use mktemp(1) for creating temporary files.
>
>Is this fine?
>--- texlive-bin.orig/texk/kpathsea/mktexlsr
>+++ texlive-bin/texk/kpathsea/mktexlsr
>@@ -73,7 +73,7 @@
> dry_run=false
> trees=
>
>-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
>+treefile=`mktemp -q --tmpdir mktexlsrtrees.XXXXXXXXXX`
It's mostly fine.
Why silence errors from mktemp(1)? You get rather mysterious errors if
creating the temporary file fails:
$ TMPDIR=/moo mktexlsr .
/usr/bin/mktexlsr: 113: /usr/bin/mktexlsr: cannot create : Directory nonexistent
mktexlsr: : could not append to arg file, goodbye.
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: Done.
I'd suggest dropping -q, and making the script exit early if mktemp
fails:
treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
With that change, the error message is clear:
$ TMPDIR=/moo mktexlsr .
mktemp: failed to create file via template ‘/moo/mktexlsrtrees.XXXXXXXXXX’: No such file or directory
>Should I upload this to unstable now for jhessie?
Jessie RC policy[0] says that “any programs and scripts that create
files in /tmp or other world writable directories must use a mechanism
which fails if the file already exists”. So it's arguably RC for jessie.
[0] https://release.debian.org/jessie/rc_policy.txt
--
Jakub Wilk
Reply sent
to Norbert Preining <preining@debian.org>:
You have taken responsibility.
(Mon, 12 Jan 2015 23:21:05 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Mon, 12 Jan 2015 23:21:06 GMT) (full text, mbox, link).
Subject: Bug#775139: fixed in texlive-bin 2014.20140926.35254-5
Date: Mon, 12 Jan 2015 23:18:47 +0000
Source: texlive-bin
Source-Version: 2014.20140926.35254-5
We believe that the bug you reported is fixed in the latest version of
texlive-bin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775139@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Preining <preining@debian.org> (supplier of updated texlive-bin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 13 Jan 2015 07:32:13 +0900
Source: texlive-bin
Binary: texlive-binaries libkpathsea6 libkpathsea-dev libptexenc1 libptexenc-dev libsynctex1 libsynctex-dev luatex
Architecture: source amd64 all
Version: 2014.20140926.35254-5
Distribution: unstable
Urgency: high
Maintainer: Debian TeX Maintainers <debian-tex-maint@lists.debian.org>
Changed-By: Norbert Preining <preining@debian.org>
Description:
libkpathsea-dev - TeX Live: path search library for TeX (development part)
libkpathsea6 - TeX Live: path search library for TeX (runtime part)
libptexenc-dev - TeX Live: ptex encoding library (development part)
libptexenc1 - TeX Live: pTeX encoding library
libsynctex-dev - Tex Live: SyncTeX parser library (development part)
libsynctex1 - TeX Live: SyncTeX parser library
luatex - TeX Live: transitional dummy package
texlive-binaries - Binaries for TeX Live
Closes: 775139
Changes:
texlive-bin (2014.20140926.35254-5) unstable; urgency=high
.
* fix insecure temp file creation in mktexlsr (Closes: #775139)
Checksums-Sha1:
59ffd52139fdccd2f858ca49c7dc6fdc10cab077 2941 texlive-bin_2014.20140926.35254-5.dsc
96637c0eb4b72ebb64545be541e5fe6e271750c0 62124 texlive-bin_2014.20140926.35254-5.debian.tar.xz
64cf067bec65a94d9473b57d7e394340e5fdbd95 6800660 texlive-binaries_2014.20140926.35254-5_amd64.deb
bd36b655fbb52e03306fcdfc27c432287639e541 153524 libkpathsea6_2014.20140926.35254-5_amd64.deb
09743c21adc6b988ba8f1d115171de77047d8f23 180094 libkpathsea-dev_2014.20140926.35254-5_amd64.deb
8849506ec4bf3ea8bbff1d108247e35678e512a7 54006 libptexenc1_2014.20140926.35254-5_amd64.deb
151842b9608d6f1e98e393cc08bddac526ec7c32 53302 libptexenc-dev_2014.20140926.35254-5_amd64.deb
24bf4076b452165f202105a00a62dca957b59b10 60936 libsynctex1_2014.20140926.35254-5_amd64.deb
0d19447237215a26de50ca1217ea03ff04646932 58978 libsynctex-dev_2014.20140926.35254-5_amd64.deb
931c81047addca4cff45035bbee8a2b35bc3926e 27720 luatex_2014.20140926.35254-5_all.deb
Checksums-Sha256:
36526f08f2ad26f1ab326e12463ea4e2483fd784e2fe4f5dbde90955ad20fec3 2941 texlive-bin_2014.20140926.35254-5.dsc
8904cbc2dc8c3365377863b5d640195753764795cd64929c7aa9f16837596ce2 62124 texlive-bin_2014.20140926.35254-5.debian.tar.xz
6a52baf6cc487c665016112ffe429417a84a075200a0f9f0964e517e452b8dc3 6800660 texlive-binaries_2014.20140926.35254-5_amd64.deb
195616ec261c7841e90d8d4181179c33bcc618e9f68ab8496c753f6d64adbeb3 153524 libkpathsea6_2014.20140926.35254-5_amd64.deb
b39348c37b7348901c30d767135440a49526700c36b5177a9f9cec20231ce2cc 180094 libkpathsea-dev_2014.20140926.35254-5_amd64.deb
5a12646b820d3af3fe223ada74359a406b9ad060233df34e65ed946e05a61fab 54006 libptexenc1_2014.20140926.35254-5_amd64.deb
82725a22c8a502d63bf2e4269c9076684715d74d3e37495f88ad29561f1047bb 53302 libptexenc-dev_2014.20140926.35254-5_amd64.deb
2382af7805b41a2b4bbc1afcc7f02f94f0000c86bd25a7222802c9e7ec21ab5c 60936 libsynctex1_2014.20140926.35254-5_amd64.deb
2d9b30c333f6d6bbc3c8a200de38dd396404e3ebdbc840d454c0e90f9c382d63 58978 libsynctex-dev_2014.20140926.35254-5_amd64.deb
db35c138b1d90a39973f9c6d19adef09451015a0125967e35a4c15d9e184279c 27720 luatex_2014.20140926.35254-5_all.deb
Files:
86559ed812af4dcc6bbbb4661d7c0bf1 2941 tex optional texlive-bin_2014.20140926.35254-5.dsc
984c100c611ab476d8d7720bb32d2875 62124 tex optional texlive-bin_2014.20140926.35254-5.debian.tar.xz
7b16ff69e7b75b5207e234f46415f4d0 6800660 tex optional texlive-binaries_2014.20140926.35254-5_amd64.deb
1a5b7dd3e4e3871c20a033c4f85d63f8 153524 libs optional libkpathsea6_2014.20140926.35254-5_amd64.deb
f82b60b00a00763e85e354413e2a9080 180094 libdevel optional libkpathsea-dev_2014.20140926.35254-5_amd64.deb
a281c6e632bdc019c283f1ac3b3e1785 54006 libs optional libptexenc1_2014.20140926.35254-5_amd64.deb
2ad4d223eb26ca1f163a4ee7f51bc339 53302 libdevel optional libptexenc-dev_2014.20140926.35254-5_amd64.deb
24707f7d4f0bf2f2858db5d692b8a245 60936 libs optional libsynctex1_2014.20140926.35254-5_amd64.deb
cf348194687984ded41866036edbcaaf 58978 libdevel optional libsynctex-dev_2014.20140926.35254-5_amd64.deb
b8fe714c745f708554379b4bca657590 27720 oldlibs extra luatex_2014.20140926.35254-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVLRRrmyspEiGDNwTAQjQsRAAmaygnHIQJUVo2u72IBahrEnfQm9SD73N
OOIm+u9M0+7pyzQSsOb9gIFH4Txb8dvPMjdguJTR2QL7a/a90Kq047P3vQWSmR+g
KB1GTRpEmA1x5KFincIlGcRw4R1TkNWgaNxY5evtOwnZNN1Ga1WIJ4Y/0WDtdHhe
7cvQcMgV7qJ5ft2mRktrnHfzbbwlPWMaULhb01VoYYGkO8Nm9CvX+IgfLBgz08HD
UfdWshW+0lqmUNefdJda0N2u/QnrDCew95XS5lCQ4il5V1kgQpiOqWWi2xBpaJEc
QCRsxMzYEBm7Wzu1vQIxTvVCFWmxf31zKUpeFW7sDzlvY+3TFDQC6vSGnuJzhskj
TD0qdrt951CPWuHn67RMkn2wvHUTCEbLWbokqr1Y/c/Le54Uv11qzjQ3R6Lu4+X5
omJaQsZw5eQlUUQH2tgfzbQpPlfTw1WIM7zp87+wLH5jf9OIovVbPXu1T3zRAgPt
zVHXuESnyB/yXXt1SgMl2V9+w3ArF5w+3Lo/sWNi2hdW43qH6070JIIZLcCU2lii
uj44j5VZflbT4D0rPvybSSVX4QRWe1pB7Wc8HWmCfgk8CJLBT22BtVt0g55OiwuU
XDjg4wjNDl0ta8ZLl6HrdfSpqh5nWDftlU7yX/LmiOcz+dTd7UJMnJ9ikAOqRjdi
INv/inwjDRQ=
=Zq1j
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>: Bug#775139; Package texlive-binaries.
(Mon, 12 Jan 2015 23:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Preining <preining@logic.at>:
Extra info received and forwarded to list. Copy sent to Debian TeX Maintainers <debian-tex-maint@lists.debian.org>.
(Mon, 12 Jan 2015 23:27:04 GMT) (full text, mbox, link).
To: Jakub Wilk <jwilk@debian.org>, 775139@bugs.debian.org
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Tue, 13 Jan 2015 08:24:48 +0900
Dear Jakub,
> treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
Thanks, that is fine. I have build, tested, and uploaded new packages.
In 4 days or so I will ask for a freeze exception.
All the best
Norbert
------------------------------------------------------------------------
PREINING, Norbert http://www.preining.info
JAIST, Japan TeX Live & Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
------------------------------------------------------------------------
Marked as found in versions texlive-bin/2012.20120628-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Jan 2015 12:18:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>: Bug#775139; Package texlive-binaries.
(Tue, 13 Jan 2015 18:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Julian Gilbey <julian@d-and-j.net>:
Extra info received and forwarded to list. Copy sent to Debian TeX Maintainers <debian-tex-maint@lists.debian.org>.
(Tue, 13 Jan 2015 18:54:05 GMT) (full text, mbox, link).
To: Norbert Preining <preining@logic.at>, 775139@bugs.debian.org
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Tue, 13 Jan 2015 18:51:13 +0000
On Tue, Jan 13, 2015 at 08:24:48AM +0900, Norbert Preining wrote:
> Dear Jakub,
>
> > treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
>
> Thanks, that is fine. I have build, tested, and uploaded new packages.
> In 4 days or so I will ask for a freeze exception.
You don't need to wait that long if you don't want to - you can ask
for an exception immediately following an upload.
Julian
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>: Bug#775139; Package texlive-binaries.
(Tue, 13 Jan 2015 22:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Preining <preining@logic.at>:
Extra info received and forwarded to list. Copy sent to Debian TeX Maintainers <debian-tex-maint@lists.debian.org>.
(Tue, 13 Jan 2015 22:54:05 GMT) (full text, mbox, link).
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Wed, 14 Jan 2015 07:51:34 +0900
Hi Julian,
> You don't need to wait that long if you don't want to - you can ask
> for an exception immediately following an upload.
Yes, but I want to make sure that all rebuilds have worked and that
no new problems arise ;-) Not very likely, but still a chacne.
Norbert
------------------------------------------------------------------------
PREINING, Norbert http://www.preining.info
JAIST, Japan TeX Live & Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
------------------------------------------------------------------------
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 12 Feb 2015 07:27:09 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.