Bug#1029913: texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability

To: Frank Heckenbach <f.heckenbach@fh-soft.de>
Cc: 1029913@bugs.debian.org
Subject: Bug#1029913: texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability
From: Hilmar Preuße <hille42@web.de>
Date: Mon, 30 Jan 2023 20:32:12 +0100
Message-id: <[🔎] 63303b2a-0e3d-885f-6974-172201736026@web.de>
Reply-to: Hilmar Preuße <hille42@web.de>, 1029913@bugs.debian.org
In-reply-to: <[🔎] E1pLuBn-00FGcX-Pv@mars>
References: <[🔎] E1pLuBn-00FGcX-Pv@mars> <[🔎] E1pLuBn-00FGcX-Pv@mars>

Control: tags -1 + help

Am 29.01.2023 um 00:00 teilte Frank Heckenbach mit:

Hi,

Classic /tmp write vulnerability: function dir_writable writes to
"/tmp/1" (and if this fails, "/tmp/2" etc.) without sufficient
checks.

Harmless demonstration:

% mkfifo /tmp/1
% epspdf /etc/hostname /dev/null  # any non-empty input file will do

hangs indefinitely trying to write to the pipe (as can be seen using
strace).


I sent an E-Mail to upstream, however I don't expect a fast response.
Tagging "help" for know.

Hilmar
--
sigfault

Reply to:

References:
- Bug#1029913: texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability
  - From: Frank Heckenbach <f.heckenbach@fh-soft.de>

Prev by Date: Bug#1024997: install-info: dir entry for emacs is bolloxed
Next by Date: Processed: Re: Bug#1029913: texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability
Previous by thread: Bug#1029913: texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability
Next by thread: Processed: Re: Bug#1029913: texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability
Index(es):
- Date
- Thread