Bug#775139: mktexlsr: insecure use of /tmp
Hi Norbert!
Thanks for the quick reply.
* Norbert Preining <preining@logic.at>, 2015-01-12, 22:18:
treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
[...]
Please use mktemp(1) for creating temporary files.
Is this fine?
--- texlive-bin.orig/texk/kpathsea/mktexlsr
+++ texlive-bin/texk/kpathsea/mktexlsr
@@ -73,7 +73,7 @@
dry_run=false
trees=
-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
+treefile=`mktemp -q --tmpdir mktexlsrtrees.XXXXXXXXXX`
It's mostly fine.
Why silence errors from mktemp(1)? You get rather mysterious errors if
creating the temporary file fails:
$ TMPDIR=/moo mktexlsr .
/usr/bin/mktexlsr: 113: /usr/bin/mktexlsr: cannot create : Directory nonexistent
mktexlsr: : could not append to arg file, goodbye.
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: Done.
I'd suggest dropping -q, and making the script exit early if mktemp
fails:
treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
With that change, the error message is clear:
$ TMPDIR=/moo mktexlsr .
mktemp: failed to create file via template ‘/moo/mktexlsrtrees.XXXXXXXXXX’: No such file or directory
Should I upload this to unstable now for jhessie?
Jessie RC policy[0] says that “any programs and scripts that create
files in /tmp or other world writable directories must use a mechanism
which fails if the file already exists”. So it's arguably RC for jessie.
[0] https://release.debian.org/jessie/rc_policy.txt
--
Jakub Wilk
Reply to: