[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#775139: marked as done (mktexlsr: insecure use of /tmp)

Your message dated Mon, 12 Jan 2015 23:18:47 +0000
with message-id <E1YAoFz-0004jJ-DG@franck.debian.org>
and subject line Bug#775139: fixed in texlive-bin 2014.20140926.35254-5
has caused the Debian Bug report #775139,
regarding mktexlsr: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
775139: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: texlive-binaries
Version: 2014.20140926.35254-4
Tags: security

This is how mktexlsr uses temporary files (with boring parts snipped):

treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo "$1" >>"$treefile"; then :; else
     echo "$progname: $treefile: could not append to arg file, goodbye." >&2
     exit 1
   fi
   # ...
done
This is insecure because the filename is predictable and, more importantly, the program doesn't fail atomically if the file already exists. 

Please use mktemp(1) for creating temporary files.

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: texlive-bin
Source-Version: 2014.20140926.35254-5

We believe that the bug you reported is fixed in the latest version of
texlive-bin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775139@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <preining@debian.org> (supplier of updated texlive-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 13 Jan 2015 07:32:13 +0900
Source: texlive-bin
Binary: texlive-binaries libkpathsea6 libkpathsea-dev libptexenc1 libptexenc-dev libsynctex1 libsynctex-dev luatex
Architecture: source amd64 all
Version: 2014.20140926.35254-5
Distribution: unstable
Urgency: high
Maintainer: Debian TeX Maintainers <debian-tex-maint@lists.debian.org>
Changed-By: Norbert Preining <preining@debian.org>
Description:
 libkpathsea-dev - TeX Live: path search library for TeX (development part)
 libkpathsea6 - TeX Live: path search library for TeX (runtime part)
 libptexenc-dev - TeX Live: ptex encoding library (development part)
 libptexenc1 - TeX Live: pTeX encoding library
 libsynctex-dev - Tex Live: SyncTeX parser library (development part)
 libsynctex1 - TeX Live: SyncTeX parser library
 luatex     - TeX Live: transitional dummy package
 texlive-binaries - Binaries for TeX Live
Closes: 775139
Changes:
 texlive-bin (2014.20140926.35254-5) unstable; urgency=high
 .
   * fix insecure temp file creation in mktexlsr (Closes: #775139)
Checksums-Sha1:
 59ffd52139fdccd2f858ca49c7dc6fdc10cab077 2941 texlive-bin_2014.20140926.35254-5.dsc
 96637c0eb4b72ebb64545be541e5fe6e271750c0 62124 texlive-bin_2014.20140926.35254-5.debian.tar.xz
 64cf067bec65a94d9473b57d7e394340e5fdbd95 6800660 texlive-binaries_2014.20140926.35254-5_amd64.deb
 bd36b655fbb52e03306fcdfc27c432287639e541 153524 libkpathsea6_2014.20140926.35254-5_amd64.deb
 09743c21adc6b988ba8f1d115171de77047d8f23 180094 libkpathsea-dev_2014.20140926.35254-5_amd64.deb
 8849506ec4bf3ea8bbff1d108247e35678e512a7 54006 libptexenc1_2014.20140926.35254-5_amd64.deb
 151842b9608d6f1e98e393cc08bddac526ec7c32 53302 libptexenc-dev_2014.20140926.35254-5_amd64.deb
 24bf4076b452165f202105a00a62dca957b59b10 60936 libsynctex1_2014.20140926.35254-5_amd64.deb
 0d19447237215a26de50ca1217ea03ff04646932 58978 libsynctex-dev_2014.20140926.35254-5_amd64.deb
 931c81047addca4cff45035bbee8a2b35bc3926e 27720 luatex_2014.20140926.35254-5_all.deb
Checksums-Sha256:
 36526f08f2ad26f1ab326e12463ea4e2483fd784e2fe4f5dbde90955ad20fec3 2941 texlive-bin_2014.20140926.35254-5.dsc
 8904cbc2dc8c3365377863b5d640195753764795cd64929c7aa9f16837596ce2 62124 texlive-bin_2014.20140926.35254-5.debian.tar.xz
 6a52baf6cc487c665016112ffe429417a84a075200a0f9f0964e517e452b8dc3 6800660 texlive-binaries_2014.20140926.35254-5_amd64.deb
 195616ec261c7841e90d8d4181179c33bcc618e9f68ab8496c753f6d64adbeb3 153524 libkpathsea6_2014.20140926.35254-5_amd64.deb
 b39348c37b7348901c30d767135440a49526700c36b5177a9f9cec20231ce2cc 180094 libkpathsea-dev_2014.20140926.35254-5_amd64.deb
 5a12646b820d3af3fe223ada74359a406b9ad060233df34e65ed946e05a61fab 54006 libptexenc1_2014.20140926.35254-5_amd64.deb
 82725a22c8a502d63bf2e4269c9076684715d74d3e37495f88ad29561f1047bb 53302 libptexenc-dev_2014.20140926.35254-5_amd64.deb
 2382af7805b41a2b4bbc1afcc7f02f94f0000c86bd25a7222802c9e7ec21ab5c 60936 libsynctex1_2014.20140926.35254-5_amd64.deb
 2d9b30c333f6d6bbc3c8a200de38dd396404e3ebdbc840d454c0e90f9c382d63 58978 libsynctex-dev_2014.20140926.35254-5_amd64.deb
 db35c138b1d90a39973f9c6d19adef09451015a0125967e35a4c15d9e184279c 27720 luatex_2014.20140926.35254-5_all.deb
Files:
 86559ed812af4dcc6bbbb4661d7c0bf1 2941 tex optional texlive-bin_2014.20140926.35254-5.dsc
 984c100c611ab476d8d7720bb32d2875 62124 tex optional texlive-bin_2014.20140926.35254-5.debian.tar.xz
 7b16ff69e7b75b5207e234f46415f4d0 6800660 tex optional texlive-binaries_2014.20140926.35254-5_amd64.deb
 1a5b7dd3e4e3871c20a033c4f85d63f8 153524 libs optional libkpathsea6_2014.20140926.35254-5_amd64.deb
 f82b60b00a00763e85e354413e2a9080 180094 libdevel optional libkpathsea-dev_2014.20140926.35254-5_amd64.deb
 a281c6e632bdc019c283f1ac3b3e1785 54006 libs optional libptexenc1_2014.20140926.35254-5_amd64.deb
 2ad4d223eb26ca1f163a4ee7f51bc339 53302 libdevel optional libptexenc-dev_2014.20140926.35254-5_amd64.deb
 24707f7d4f0bf2f2858db5d692b8a245 60936 libs optional libsynctex1_2014.20140926.35254-5_amd64.deb
 cf348194687984ded41866036edbcaaf 58978 libdevel optional libsynctex-dev_2014.20140926.35254-5_amd64.deb
 b8fe714c745f708554379b4bca657590 27720 oldlibs extra luatex_2014.20140926.35254-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVLRRrmyspEiGDNwTAQjQsRAAmaygnHIQJUVo2u72IBahrEnfQm9SD73N
OOIm+u9M0+7pyzQSsOb9gIFH4Txb8dvPMjdguJTR2QL7a/a90Kq047P3vQWSmR+g
KB1GTRpEmA1x5KFincIlGcRw4R1TkNWgaNxY5evtOwnZNN1Ga1WIJ4Y/0WDtdHhe
7cvQcMgV7qJ5ft2mRktrnHfzbbwlPWMaULhb01VoYYGkO8Nm9CvX+IgfLBgz08HD
UfdWshW+0lqmUNefdJda0N2u/QnrDCew95XS5lCQ4il5V1kgQpiOqWWi2xBpaJEc
QCRsxMzYEBm7Wzu1vQIxTvVCFWmxf31zKUpeFW7sDzlvY+3TFDQC6vSGnuJzhskj
TD0qdrt951CPWuHn67RMkn2wvHUTCEbLWbokqr1Y/c/Le54Uv11qzjQ3R6Lu4+X5
omJaQsZw5eQlUUQH2tgfzbQpPlfTw1WIM7zp87+wLH5jf9OIovVbPXu1T3zRAgPt
zVHXuESnyB/yXXt1SgMl2V9+w3ArF5w+3Lo/sWNi2hdW43qH6070JIIZLcCU2lii
uj44j5VZflbT4D0rPvybSSVX4QRWe1pB7Wc8HWmCfgk8CJLBT22BtVt0g55OiwuU
XDjg4wjNDl0ta8ZLl6HrdfSpqh5nWDftlU7yX/LmiOcz+dTd7UJMnJ9ikAOqRjdi
INv/inwjDRQ=
=Zq1j
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: