Debian Bug report logs - #775139
mktexlsr: insecure use of /tmp

version graph

Package: texlive-binaries; Maintainer for texlive-binaries is Debian TeX Task Force <debian-tex-maint@lists.debian.org>; Source for texlive-binaries is src:texlive-bin (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Sun, 11 Jan 2015 21:57:02 UTC

Severity: normal

Tags: security

Found in versions texlive-bin/2012.20120628-4, texlive-bin/2014.20140926.35254-4

Fixed in version texlive-bin/2014.20140926.35254-5

Done: Norbert Preining <preining@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>:
Bug#775139; Package texlive-binaries. (Sun, 11 Jan 2015 21:57:07 GMT) (full text, mbox, link).


Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mktexlsr: insecure use of /tmp
Date: Sun, 11 Jan 2015 22:52:57 +0100
Package: texlive-binaries
Version: 2014.20140926.35254-4
Tags: security

This is how mktexlsr uses temporary files (with boring parts snipped):

treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo "$1" >>"$treefile"; then :; else
     echo "$progname: $treefile: could not append to arg file, goodbye." >&2
     exit 1
   fi
   # ...
done


This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 
exists.

Please use mktemp(1) for creating temporary files.

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>:
Bug#775139; Package texlive-binaries. (Mon, 12 Jan 2015 13:21:05 GMT) (full text, mbox, link).


Acknowledgement sent to Norbert Preining <preining@logic.at>:
Extra info received and forwarded to list. Copy sent to Debian TeX Maintainers <debian-tex-maint@lists.debian.org>. (Mon, 12 Jan 2015 13:21:05 GMT) (full text, mbox, link).


Message #8 received at 775139@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <preining@logic.at>
To: Jakub Wilk <jwilk@debian.org>, 775139@bugs.debian.org
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Mon, 12 Jan 2015 22:18:15 +0900
> treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
>[...]
> Please use mktemp(1) for creating temporary files.

Is this fine?
--- texlive-bin.orig/texk/kpathsea/mktexlsr
+++ texlive-bin/texk/kpathsea/mktexlsr
@@ -73,7 +73,7 @@
 dry_run=false
 trees=

-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
+treefile=`mktemp -q --tmpdir mktexlsrtrees.XXXXXXXXXX`
 trap 'cd /; rm -f $treefile; test -z "$db_dir_tmp" || rm -rf "$db_dir_tmp";
       exit' 0 1 2 3 7 13 15

?

Should I upload this to unstable now for jhessie?


Norbert

------------------------------------------------------------------------
PREINING, Norbert                               http://www.preining.info
JAIST, Japan                                 TeX Live & Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0  ACF0 6CAC A448 860C DC13
------------------------------------------------------------------------



Information forwarded to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>:
Bug#775139; Package texlive-binaries. (Mon, 12 Jan 2015 14:51:05 GMT) (full text, mbox, link).


Message #11 received at 775139@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: 775139@bugs.debian.org
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Mon, 12 Jan 2015 15:48:49 +0100
Hi Norbert!

Thanks for the quick reply.

* Norbert Preining <preining@logic.at>, 2015-01-12, 22:18:
>> treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
>>[...]
>> Please use mktemp(1) for creating temporary files.
>
>Is this fine?
>--- texlive-bin.orig/texk/kpathsea/mktexlsr
>+++ texlive-bin/texk/kpathsea/mktexlsr
>@@ -73,7 +73,7 @@
> dry_run=false
> trees=
>
>-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
>+treefile=`mktemp -q --tmpdir mktexlsrtrees.XXXXXXXXXX`

It's mostly fine.

Why silence errors from mktemp(1)? You get rather mysterious errors if 
creating the temporary file fails:

$ TMPDIR=/moo mktexlsr .
/usr/bin/mktexlsr: 113: /usr/bin/mktexlsr: cannot create : Directory nonexistent
mktexlsr: : could not append to arg file, goodbye.
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: Done.


I'd suggest dropping -q, and making the script exit early if mktemp 
fails:

treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1

With that change, the error message is clear:

$ TMPDIR=/moo mktexlsr .
mktemp: failed to create file via template ‘/moo/mktexlsrtrees.XXXXXXXXXX’: No such file or directory


>Should I upload this to unstable now for jhessie?

Jessie RC policy[0] says that “any programs and scripts that create 
files in /tmp or other world writable directories must use a mechanism 
which fails if the file already exists”. So it's arguably RC for jessie.


[0] https://release.debian.org/jessie/rc_policy.txt

-- 
Jakub Wilk



Reply sent to Norbert Preining <preining@debian.org>:
You have taken responsibility. (Mon, 12 Jan 2015 23:21:05 GMT) (full text, mbox, link).


Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Mon, 12 Jan 2015 23:21:06 GMT) (full text, mbox, link).


Message #16 received at 775139-close@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <preining@debian.org>
To: 775139-close@bugs.debian.org
Subject: Bug#775139: fixed in texlive-bin 2014.20140926.35254-5
Date: Mon, 12 Jan 2015 23:18:47 +0000
Source: texlive-bin
Source-Version: 2014.20140926.35254-5

We believe that the bug you reported is fixed in the latest version of
texlive-bin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775139@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <preining@debian.org> (supplier of updated texlive-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 13 Jan 2015 07:32:13 +0900
Source: texlive-bin
Binary: texlive-binaries libkpathsea6 libkpathsea-dev libptexenc1 libptexenc-dev libsynctex1 libsynctex-dev luatex
Architecture: source amd64 all
Version: 2014.20140926.35254-5
Distribution: unstable
Urgency: high
Maintainer: Debian TeX Maintainers <debian-tex-maint@lists.debian.org>
Changed-By: Norbert Preining <preining@debian.org>
Description:
 libkpathsea-dev - TeX Live: path search library for TeX (development part)
 libkpathsea6 - TeX Live: path search library for TeX (runtime part)
 libptexenc-dev - TeX Live: ptex encoding library (development part)
 libptexenc1 - TeX Live: pTeX encoding library
 libsynctex-dev - Tex Live: SyncTeX parser library (development part)
 libsynctex1 - TeX Live: SyncTeX parser library
 luatex     - TeX Live: transitional dummy package
 texlive-binaries - Binaries for TeX Live
Closes: 775139
Changes:
 texlive-bin (2014.20140926.35254-5) unstable; urgency=high
 .
   * fix insecure temp file creation in mktexlsr (Closes: #775139)
Checksums-Sha1:
 59ffd52139fdccd2f858ca49c7dc6fdc10cab077 2941 texlive-bin_2014.20140926.35254-5.dsc
 96637c0eb4b72ebb64545be541e5fe6e271750c0 62124 texlive-bin_2014.20140926.35254-5.debian.tar.xz
 64cf067bec65a94d9473b57d7e394340e5fdbd95 6800660 texlive-binaries_2014.20140926.35254-5_amd64.deb
 bd36b655fbb52e03306fcdfc27c432287639e541 153524 libkpathsea6_2014.20140926.35254-5_amd64.deb
 09743c21adc6b988ba8f1d115171de77047d8f23 180094 libkpathsea-dev_2014.20140926.35254-5_amd64.deb
 8849506ec4bf3ea8bbff1d108247e35678e512a7 54006 libptexenc1_2014.20140926.35254-5_amd64.deb
 151842b9608d6f1e98e393cc08bddac526ec7c32 53302 libptexenc-dev_2014.20140926.35254-5_amd64.deb
 24bf4076b452165f202105a00a62dca957b59b10 60936 libsynctex1_2014.20140926.35254-5_amd64.deb
 0d19447237215a26de50ca1217ea03ff04646932 58978 libsynctex-dev_2014.20140926.35254-5_amd64.deb
 931c81047addca4cff45035bbee8a2b35bc3926e 27720 luatex_2014.20140926.35254-5_all.deb
Checksums-Sha256:
 36526f08f2ad26f1ab326e12463ea4e2483fd784e2fe4f5dbde90955ad20fec3 2941 texlive-bin_2014.20140926.35254-5.dsc
 8904cbc2dc8c3365377863b5d640195753764795cd64929c7aa9f16837596ce2 62124 texlive-bin_2014.20140926.35254-5.debian.tar.xz
 6a52baf6cc487c665016112ffe429417a84a075200a0f9f0964e517e452b8dc3 6800660 texlive-binaries_2014.20140926.35254-5_amd64.deb
 195616ec261c7841e90d8d4181179c33bcc618e9f68ab8496c753f6d64adbeb3 153524 libkpathsea6_2014.20140926.35254-5_amd64.deb
 b39348c37b7348901c30d767135440a49526700c36b5177a9f9cec20231ce2cc 180094 libkpathsea-dev_2014.20140926.35254-5_amd64.deb
 5a12646b820d3af3fe223ada74359a406b9ad060233df34e65ed946e05a61fab 54006 libptexenc1_2014.20140926.35254-5_amd64.deb
 82725a22c8a502d63bf2e4269c9076684715d74d3e37495f88ad29561f1047bb 53302 libptexenc-dev_2014.20140926.35254-5_amd64.deb
 2382af7805b41a2b4bbc1afcc7f02f94f0000c86bd25a7222802c9e7ec21ab5c 60936 libsynctex1_2014.20140926.35254-5_amd64.deb
 2d9b30c333f6d6bbc3c8a200de38dd396404e3ebdbc840d454c0e90f9c382d63 58978 libsynctex-dev_2014.20140926.35254-5_amd64.deb
 db35c138b1d90a39973f9c6d19adef09451015a0125967e35a4c15d9e184279c 27720 luatex_2014.20140926.35254-5_all.deb
Files:
 86559ed812af4dcc6bbbb4661d7c0bf1 2941 tex optional texlive-bin_2014.20140926.35254-5.dsc
 984c100c611ab476d8d7720bb32d2875 62124 tex optional texlive-bin_2014.20140926.35254-5.debian.tar.xz
 7b16ff69e7b75b5207e234f46415f4d0 6800660 tex optional texlive-binaries_2014.20140926.35254-5_amd64.deb
 1a5b7dd3e4e3871c20a033c4f85d63f8 153524 libs optional libkpathsea6_2014.20140926.35254-5_amd64.deb
 f82b60b00a00763e85e354413e2a9080 180094 libdevel optional libkpathsea-dev_2014.20140926.35254-5_amd64.deb
 a281c6e632bdc019c283f1ac3b3e1785 54006 libs optional libptexenc1_2014.20140926.35254-5_amd64.deb
 2ad4d223eb26ca1f163a4ee7f51bc339 53302 libdevel optional libptexenc-dev_2014.20140926.35254-5_amd64.deb
 24707f7d4f0bf2f2858db5d692b8a245 60936 libs optional libsynctex1_2014.20140926.35254-5_amd64.deb
 cf348194687984ded41866036edbcaaf 58978 libdevel optional libsynctex-dev_2014.20140926.35254-5_amd64.deb
 b8fe714c745f708554379b4bca657590 27720 oldlibs extra luatex_2014.20140926.35254-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVLRRrmyspEiGDNwTAQjQsRAAmaygnHIQJUVo2u72IBahrEnfQm9SD73N
OOIm+u9M0+7pyzQSsOb9gIFH4Txb8dvPMjdguJTR2QL7a/a90Kq047P3vQWSmR+g
KB1GTRpEmA1x5KFincIlGcRw4R1TkNWgaNxY5evtOwnZNN1Ga1WIJ4Y/0WDtdHhe
7cvQcMgV7qJ5ft2mRktrnHfzbbwlPWMaULhb01VoYYGkO8Nm9CvX+IgfLBgz08HD
UfdWshW+0lqmUNefdJda0N2u/QnrDCew95XS5lCQ4il5V1kgQpiOqWWi2xBpaJEc
QCRsxMzYEBm7Wzu1vQIxTvVCFWmxf31zKUpeFW7sDzlvY+3TFDQC6vSGnuJzhskj
TD0qdrt951CPWuHn67RMkn2wvHUTCEbLWbokqr1Y/c/Le54Uv11qzjQ3R6Lu4+X5
omJaQsZw5eQlUUQH2tgfzbQpPlfTw1WIM7zp87+wLH5jf9OIovVbPXu1T3zRAgPt
zVHXuESnyB/yXXt1SgMl2V9+w3ArF5w+3Lo/sWNi2hdW43qH6070JIIZLcCU2lii
uj44j5VZflbT4D0rPvybSSVX4QRWe1pB7Wc8HWmCfgk8CJLBT22BtVt0g55OiwuU
XDjg4wjNDl0ta8ZLl6HrdfSpqh5nWDftlU7yX/LmiOcz+dTd7UJMnJ9ikAOqRjdi
INv/inwjDRQ=
=Zq1j
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>:
Bug#775139; Package texlive-binaries. (Mon, 12 Jan 2015 23:27:04 GMT) (full text, mbox, link).


Acknowledgement sent to Norbert Preining <preining@logic.at>:
Extra info received and forwarded to list. Copy sent to Debian TeX Maintainers <debian-tex-maint@lists.debian.org>. (Mon, 12 Jan 2015 23:27:04 GMT) (full text, mbox, link).


Message #21 received at 775139@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <preining@logic.at>
To: Jakub Wilk <jwilk@debian.org>, 775139@bugs.debian.org
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Tue, 13 Jan 2015 08:24:48 +0900
Dear Jakub,

> treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1

Thanks, that is fine. I have build, tested, and uploaded new packages.
In 4 days or so I will ask for a freeze exception.

All the best

Norbert

------------------------------------------------------------------------
PREINING, Norbert                               http://www.preining.info
JAIST, Japan                                 TeX Live & Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0  ACF0 6CAC A448 860C DC13
------------------------------------------------------------------------



Marked as found in versions texlive-bin/2012.20120628-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 13 Jan 2015 12:18:09 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>:
Bug#775139; Package texlive-binaries. (Tue, 13 Jan 2015 18:54:05 GMT) (full text, mbox, link).


Acknowledgement sent to Julian Gilbey <julian@d-and-j.net>:
Extra info received and forwarded to list. Copy sent to Debian TeX Maintainers <debian-tex-maint@lists.debian.org>. (Tue, 13 Jan 2015 18:54:05 GMT) (full text, mbox, link).


Message #28 received at 775139@bugs.debian.org (full text, mbox, reply):

From: Julian Gilbey <julian@d-and-j.net>
To: Norbert Preining <preining@logic.at>, 775139@bugs.debian.org
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Tue, 13 Jan 2015 18:51:13 +0000
On Tue, Jan 13, 2015 at 08:24:48AM +0900, Norbert Preining wrote:
> Dear Jakub,
> 
> > treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
> 
> Thanks, that is fine. I have build, tested, and uploaded new packages.
> In 4 days or so I will ask for a freeze exception.

You don't need to wait that long if you don't want to - you can ask
for an exception immediately following an upload.

   Julian



Information forwarded to debian-bugs-dist@lists.debian.org, Debian TeX Maintainers <debian-tex-maint@lists.debian.org>:
Bug#775139; Package texlive-binaries. (Tue, 13 Jan 2015 22:54:05 GMT) (full text, mbox, link).


Acknowledgement sent to Norbert Preining <preining@logic.at>:
Extra info received and forwarded to list. Copy sent to Debian TeX Maintainers <debian-tex-maint@lists.debian.org>. (Tue, 13 Jan 2015 22:54:05 GMT) (full text, mbox, link).


Message #33 received at 775139@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <preining@logic.at>
To: Julian Gilbey <julian@d-and-j.net>
Cc: 775139@bugs.debian.org
Subject: Re: Bug#775139: mktexlsr: insecure use of /tmp
Date: Wed, 14 Jan 2015 07:51:34 +0900
Hi Julian,

> You don't need to wait that long if you don't want to - you can ask
> for an exception immediately following an upload.

Yes, but I want to make sure that all rebuilds have worked and that
no new problems arise ;-) Not very likely, but still a chacne.

Norbert

------------------------------------------------------------------------
PREINING, Norbert                               http://www.preining.info
JAIST, Japan                                 TeX Live & Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0  ACF0 6CAC A448 860C DC13
------------------------------------------------------------------------



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 12 Feb 2015 07:27:09 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 05:17:27 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.