Bug#57746: Your Debian/tetex-Bug report: Security: Directories are kept a+w
Dear Scott,
3 years ago you reported a bug in tetex to the Debian bug report
system. You critized:
> This package installs several of its directories a+w, which is a security
> issue:
>
> drwxrwxrwt 4 root root 1024 Jan 27 13:13
> /var/spool/texmf/pk
> drwxrwxrwt 6 root root 1024 Jan 27 05:55
> /var/spool/texmf/pk/ljfour
> drwxrwxrwt 4 crosby crosby 1024 Jan 27 05:56
> [...]
Since then, the bug has not really been addressed. The directories have
been moved, but now /var/cache/fonts are a+w. However, it is not clear
to me which security risks you see in this case. I am not familiar
enough with TeX's font handling to know wether malformed files there
could lead to a buffer overflow or the like?
I would be glad if you could elaborate a little on that. Note that I am
not the maintainer of tetex and also not subscribed to get all
tetex-related mails, so please keep me in the Cc, as well as Hilmar.
Thank you in advance,
Frank
--
Frank Küster, Biozentrum der Univ. Basel
Abt. Biophysikalische Chemie
Reply to: