Bug#1029913: marked as done (texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability)

To: Hilmar Preusse <hille42@web.de>
Subject: Bug#1029913: marked as done (texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 15 Feb 2023 23:24:03 +0000
Message-id: <[🔎] handler.1029913.D1029913.16765032982857620.ackdone@bugs.debian.org>
Reply-to: 1029913@bugs.debian.org
References: <E1pSR5i-00C4wq-CH@fasolo.debian.org> <E1pLuBn-00FGcX-Pv@mars>

Your message dated Wed, 15 Feb 2023 23:21:34 +0000
with message-id <E1pSR5i-00C4wq-CH@fasolo.debian.org>
and subject line Bug#1029913: fixed in texlive-base 2022.20230122-2
has caused the Debian Bug report #1029913,
regarding texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1029913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029913
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: texlive-pictures: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu: /tmp write vulnerability
From: Frank Heckenbach <f.heckenbach@fh-soft.de>
Date: Sun, 29 Jan 2023 00:00:51 +0100
Message-id: <E1pLuBn-00FGcX-Pv@mars>

Package: texlive-pictures
Version: 2020.20210202-3
Severity: grave
File: /usr/share/texlive/texmf-dist/scripts/epspdf/epspdf.tlu

Classic /tmp write vulnerability: function dir_writable writes to
"/tmp/1" (and if this fails, "/tmp/2" etc.) without sufficient
checks.

Harmless demonstration:

% mkfifo /tmp/1
% epspdf /etc/hostname /dev/null # any non-empty input file will do

hangs indefinitely trying to write to the pipe (as can be seen using
strace).

That's already a bug (and incidentally the one that actually
happened to me), but it seems it can be turned into an exploit using
a symlink. Though on my system this seems to be mitigated due to
this kernel patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5

But on systems where the patch is not installed or not active, it
would be possible to get any other user, possibly root, that runs
this program to write "test" to a new file of the attacker's choice.
I don't know how to turn this into a more serious privilege
escalation, but that's just my lack of fanatsy and knowledge of e.g.
every possible file and subdirectory under /etc. In any case,
writing such a file is already transgressing privileges.

To avoid this, as usual for this kind of exploit, files written
under publicly writable directories such as /tmp must be opened with
O_CREAT|O_EXCL (whatever the equivalent in texlua is, if any), or a
subdirectory must be created since mkdir will fail if the target
exists already, even as a dangling symlink.

--- End Message ---

--- Begin Message ---

To: 1029913-close@bugs.debian.org
Subject: Bug#1029913: fixed in texlive-base 2022.20230122-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 15 Feb 2023 23:21:34 +0000
Message-id: <E1pSR5i-00C4wq-CH@fasolo.debian.org>
Reply-to: Hilmar Preusse <hille42@web.de>

Source: texlive-base
Source-Version: 2022.20230122-2
Done: Hilmar Preusse <hille42@web.de>

We believe that the bug you reported is fixed in the latest version of
texlive-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1029913@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilmar Preusse <hille42@web.de> (supplier of updated texlive-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Feb 2023 14:35:08 +0100
Source: texlive-base
Architecture: source
Version: 2022.20230122-2
Distribution: unstable
Urgency: medium
Maintainer: Debian TeX Task Force <debian-tex-maint@lists.debian.org>
Changed-By: Hilmar Preusse <hille42@web.de>
Closes: 1029913 1030622
Changes:
 texlive-base (2022.20230122-2) unstable; urgency=medium
 .
   [ Jelmer Vernooĳ ]
   * Include package in Vcs-Git/Vcs-Browser header.
 .
   * New texlive-latex-base is incompatible to old
     texlive-lang-japanese, add Breaks statement (Closes: #1030622).
   * epspdf.tlu: patch from Siep Kroonenberg <siepo@bitmuis.nl>:
     Eliminate faulty check for writability system_tmpdir;
     just error out when no tempdir for epspdf can be created.
     (Closes: #1029913)
Checksums-Sha1:
 0b6b884d22a60e59914ac9ffd7780a690a8fbb41 3261 texlive-base_2022.20230122-2.dsc
 96164ffb6c940fc9f8e9f28da25b2668c96eccba 315476 texlive-base_2022.20230122-2.debian.tar.xz
 482d25f2bc07baf344ca00963fb39becb6c14d89 5709 texlive-base_2022.20230122-2_source.buildinfo
Checksums-Sha256:
 19a1ffcdd086a1c555a2217a919ef304a659f3aeb8c665473c7b95edabda0e11 3261 texlive-base_2022.20230122-2.dsc
 8c4ad5cd6eaaf39384c0b857a82ce2e955e5849e0d4a1f218a084cc0ca09a453 315476 texlive-base_2022.20230122-2.debian.tar.xz
 7ecfc20843626744fb66db605d9fe28ed3e8853cdb4cd7f9e56ff71c91ddf2b2 5709 texlive-base_2022.20230122-2_source.buildinfo
Files:
 8057d9deb12603c371d8c811680c6ed8 3261 tex optional texlive-base_2022.20230122-2.dsc
 c35acce9d1d1c4a59801a73c39bc69cc 315476 tex optional texlive-base_2022.20230122-2.debian.tar.xz
 91de762a5cc44f0a92f6d9f3557b6818 5709 tex optional texlive-base_2022.20230122-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAmPtXTpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5
NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg
LIs8DBAAve311iogtQVUwBW01XfQrurfYykNtV/qZheRd1Y600MzxM+CztI1awQm
5+zaVoISTfK6PZXTP6wOsgRcht8v7ZgNWr0qeSWMFVXfCgsTOx8AeUfp3hj/3t8J
scOmpyi7VEbIBqsDkgFN/CrnXIEtUnEidw8vLIbma93W7Bu1t4+3k3W5+NhrwSQX
/KYaQ8sMIsk136XusZZUxz2KcUWgZ5Ao0zOLgc+1Ao9Jk/+v7D3qPm1BcO+UPXiw
LWqTVLyR1wCQviBa0hQJihzEq7sElSZBVIs5zlhGS/e16UYFqawkRIEqyowkay9h
Jm9YwRldQrpg9NDXmrTPkozaCccmFPsKFFbaxK9xlwg/yq8ijGxRP/VXk17JrvRe
XomVvKYoj8aHMIDYK4sgwLN21AwVKYAA29M0ya0UnSGJ293CHO+xx+zxSW3pbJRK
HvVjEUJJBEs28d2mZFZhxoidBJVv98Z06C2xgI8f5SsWv5z/jw5bGIyPh+NPqkRP
HywSwlv4QzkYeG6jd3MfGsd/0MDG/7EiWp7SIy7IwVLGuxhZ5/Wu0RO/KzLsX8bv
f+zgCC5bMJ+oW97ux5Nx+wNOUuGAR8Gb74yK61ddx9A+cK9UWdE736VInaU80Cbr
P/na/1ygKoXBPU41TktqVz+lHSjcyCnexBsf/jPMr79jIbRN3VM=
=5vxb
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#1030622: marked as done (tex-common package post-installation script subprocess returned error exit status 1)
Next by Date: texlive-base_2022.20230122-2_source.changes ACCEPTED into unstable
Previous by thread: Processing of texlive-extra_2022.20230122-2_source.changes
Next by thread: texlive-base_2022.20230122-2_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread