Bug#57746: Your Debian/tetex-Bug report: Security: Directories are kept a+w

To: Scott A Crosby <crosby@qwes.math.cmu.edu>
Cc: 57746@bugs.debian.org, Hilmar Preusse <hille42@web.de>
Subject: Bug#57746: Your Debian/tetex-Bug report: Security: Directories are kept a+w
From: frank@kuesterei.ch (Frank Küster)
Date: Mon, 21 Jul 2003 09:20:30 +0200
Message-id: <[🔎] 873ch0qrb5.fsf@alhambra.bioz.unibas.ch>
Reply-to: frank@kuesterei.ch (Frank Küster), 57746@bugs.debian.org

Dear Scott,

3 years ago you reported a bug in tetex to the Debian bug report
system. You critized:

> This package installs several of its directories a+w, which is a security
> issue:
>
> drwxrwxrwt    4 root     root         1024 Jan 27 13:13
> /var/spool/texmf/pk
> drwxrwxrwt    6 root     root         1024 Jan 27 05:55
> /var/spool/texmf/pk/ljfour
> drwxrwxrwt    4 crosby   crosby       1024 Jan 27 05:56
> [...]

Since then, the bug has not really been addressed. The directories have
been moved, but now /var/cache/fonts are a+w. However, it is not clear
to me which security risks you see in this case. I am not familiar
enough with TeX's font handling to know wether malformed files there
could lead to a buffer overflow or the like?

I would be glad if you could elaborate a little on that. Note that I am
not the maintainer of tetex and also not subscribed to get all
tetex-related mails, so please keep me in the Cc, as well as Hilmar.

Thank you in advance,
Frank
-- 
Frank Küster, Biozentrum der Univ. Basel
Abt. Biophysikalische Chemie

Reply to:

Prev by Date: Bug#201935: Libtool script used in your package needs updating
Next by Date: Re: Bug#201935: Libtool script used in your package needs updating
Previous by thread: Bug#202081: tetex-extra: Regeneraters user's ls-R file as owned by root
Next by thread: Bug#108448: wrong hyphen.cfg used when cslatex installed
Index(es):
- Date
- Thread