Hello community,
here is the log from the commit of package texlive-filesystem for
openSUSE:Leap:15.2 checked in at 2020-06-11 16:18:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/texlive-filesystem (Old)
and /work/SRC/openSUSE:Leap:15.2/.texlive-filesystem.new.3606 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "texlive-filesystem"
Thu Jun 11 16:18:28 2020 rev:38 rq:813290 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/texlive-filesystem/texlive-filesystem.changes
2020-03-02 17:21:31.394083709 +0100
+++
/work/SRC/openSUSE:Leap:15.2/.texlive-filesystem.new.3606/texlive-filesystem.changes
2020-06-11 16:19:09.766925779 +0200
@@ -1,0 +2,24 @@
+Wed Jun 3 07:11:26 UTC 2020 - Dr. Werner Fink <[email protected]>
+
+- Simplify %pre scriplet, that is always create mktex group
+
+-------------------------------------------------------------------
+Mon Mar 23 16:18:13 UTC 2020 - Dr. Werner Fink <[email protected]>
+
+- Add new configuration variable HAVE_MKTEX_MEMBERS to texlive
+ sysconfig file to control the behaviour of the cron job.
+- Change the cron job to clear data of other users which are
+ member of the group mktex (boo#1159740)
+
+-------------------------------------------------------------------
+Thu Feb 20 11:01:15 UTC 2020 - Dr. Werner Fink <[email protected]>
+
+- Use setpriv to create ls-R files, below /var/cache/texmf/fonts
+ use uid mktex for this (boo#1159740, CVE-2020-8016)
+
+-------------------------------------------------------------------
+Wed Feb 5 06:56:24 UTC 2020 - Dr. Werner Fink <[email protected]>
+
+- Check passwd not group file for user mktex
+
+-------------------------------------------------------------------
@@ -5 +29 @@
- the files of this owner (boo#1159740)
+ the files of this owner (boo#1159740, CVE-2020-8016)
@@ -10 +34 @@
-- Overwrite not wanted sysmbolic links on ls-R files
+- Overwrite not wanted symbolic links on ls-R files
@@ -22 +46 @@
- to user nobody (bsc#1159740)
+ to user nobody (bsc#1159740, CVE-2020-8016)
@@ -24 +48 @@
- font cache directories (bsc#1158910)
+ font cache directories (bsc#1158910, CVE-2020-8017)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ texlive-filesystem.spec ++++++
--- /var/tmp/diff_new_pack.EulXGM/_old 2020-06-11 16:19:10.498927759 +0200
+++ /var/tmp/diff_new_pack.EulXGM/_new 2020-06-11 16:19:10.510927791 +0200
@@ -44,10 +44,12 @@
Requires: python3
Requires(pre): /usr/bin/getent
Requires(pre): /usr/sbin/groupadd
+Requires(pre): /usr/bin/stat
Requires(post): %fillup_prereq
Requires(post): permissions
Requires(post): /usr/bin/mktemp
Requires(post): /usr/bin/mv
+Requires(post): /usr/bin/setpriv
Requires(pre): /usr/bin/perl
Requires(pre): /usr/bin/clear
Requires(pre): /usr/bin/dialog
@@ -151,8 +153,9 @@
%define _appdefdir %{_x11data}/app-defaults
#
%define texgrp mktex
-%define nobody nobody
+%define texusr mktex
#define texgid 505
+#define texuid 505
#
%description
The basic file system layout for TeX Live installation.
@@ -13831,7 +13834,7 @@
(cat > %{buildroot}%{_sysconfdir}/permissions.d/texlive.texlive) <<-EOF
%{_libexecdir}/mktex/public root:%{texgrp} 2755
%{_texmfconfdir}/ls-R root:%{texgrp} 0664
- %{_fontcache}/ls-R root:%{texgrp} 0664
+ %{_fontcache}/ls-R %{texusr}:%{texgrp} 0664
%{_texmfvardir}/ls-R root:%{texgrp} 0664
%{_texmfvardir}/dist/ls-R root:%{texgrp} 0664
%{_texmfvardir}/main/ls-R root:%{texgrp} 0664
@@ -13843,15 +13846,15 @@
%{_texmfvardir}/fonts/dvips/ root:root 1755
%{_texmfvardir}/fonts/pdftex/ root:root 1755
%{_texmfcache}/ root:root 1755
- %{_fontcache}/ %{nobody}:%{texgrp} 1775
- %{_fontcache}/pk/ %{nobody}:%{texgrp} 1775
- %{_fontcache}/source/ %{nobody}:%{texgrp} 1775
- %{_fontcache}/tfm/ %{nobody}:%{texgrp} 1775
+ %{_fontcache}/ %{texusr}:%{texgrp} 1775
+ %{_fontcache}/pk/ %{texusr}:%{texgrp} 1775
+ %{_fontcache}/source/ %{texusr}:%{texgrp} 1775
+ %{_fontcache}/tfm/ %{texusr}:%{texgrp} 1775
EOF
(cat > %{buildroot}%{_sysconfdir}/permissions.d/texlive) <<-EOF
%{_libexecdir}/mktex/public root:%{texgrp} 0755
%{_texmfconfdir}/ls-R root:%{texgrp} 0664
- %{_fontcache}/ls-R root:%{texgrp} 0664
+ %{_fontcache}/ls-R %{texusr}:%{texgrp} 0664
%{_texmfvardir}/ls-R root:%{texgrp} 0664
%{_texmfvardir}/dist/ls-R root:%{texgrp} 0664
%{_texmfvardir}/main/ls-R root:%{texgrp} 0664
@@ -13863,10 +13866,10 @@
%{_texmfvardir}/fonts/dvips/ root:root 1755
%{_texmfvardir}/fonts/pdftex/ root:root 1755
%{_texmfcache}/ root:root 1755
- %{_fontcache}/ %{nobody}:%{texgrp} 1775
- %{_fontcache}/pk/ %{nobody}:%{texgrp} 1775
- %{_fontcache}/source/ %{nobody}:%{texgrp} 1775
- %{_fontcache}/tfm/ %{nobody}:%{texgrp} 1775
+ %{_fontcache}/ %{texusr}:%{texgrp} 1775
+ %{_fontcache}/pk/ %{texusr}:%{texgrp} 1775
+ %{_fontcache}/source/ %{texusr}:%{texgrp} 1775
+ %{_fontcache}/tfm/ %{texusr}:%{texgrp} 1775
EOF
%if %{with zypper_posttrans}
@@ -13923,45 +13926,39 @@
%endif
%pre
-if test "$1" = 1 && ! %{_bindir}/getent group %{texgrp} > /dev/null 2>&1 ; then
+if ! %{_bindir}/getent group %{texgrp} > /dev/null 2>&1 ; then
%{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp}
fi
+if ! %{_bindir}/getent passwd %{texusr} > /dev/null 2>&1 ; then
+ %{_sbindir}/useradd -r %{?texuid:-u %texuid} -g %{texgrp} -d
%{_fontcache} -s /bin/false %{texusr}
+fi
# the ls-R file on update
-error=0
for dir in %{_texmfconfdir} \
%{_fontcache} \
%{_texmfvardir} \
%{_texmfvardir}/dist \
%{_texmfvardir}/main
do
- test ! -h ${dir}/ls-R || rm -vf ${dir}/ls-R
- test -e ${dir}/ls-R || continue
- test "$(stat --format '%U:%G' ${dir}/ls-R)" != root:%{texgrp} || continue
- chown root:%{texgrp} ${dir}/ls-R || error=1
+ rm -f ${dir}/ls-R
done
-test $error = 0 || exit 1
%post
%fillup_only -n texlive
# the ls-R file (empty at package time)
error=0
+user=
for dir in %{_texmfconfdir} \
%{_fontcache} \
%{_texmfvardir} \
%{_texmfvardir}/dist \
%{_texmfvardir}/main
do
- test ! -e ${dir}/ls-R -o -h ${dir}/ls-R || continue
- tmp=$(mktemp ${dir}/ls-R.XXXXXX) || error=1
- test $error = 0 || continue
- mv ${tmp} ${dir}/ls-R || error=1
- test $error = 0 || continue
- chgrp %{texgrp} ${dir}/ls-R || error=1
- test $error = 0 || continue
- chmod 0664 ${dir}/ls-R || error=1
- test $error = 0 || continue
- echo '%% ls-R -- filename database for kpathsea; do not change this line.'
> \
- ${dir}/ls-R
+ test "$dir" = %{_fontcache} && user=%{texusr} || user=root
+ setpriv --reuid $user --regid %{texgrp} --init-groups /bin/sh -ec "
+ tmp=\$(mktemp ${dir}/ls-R.XXXXXX)
+ chmod 0664 \${tmp}
+ echo '%% ls-R -- filename database for kpathsea; do not change this
line.' > \${tmp}
+ mv \${tmp} ${dir}/ls-R" || error=1
done
%if %{defined set_permissions}
%set_permissions %{_texmfconfdir}/ls-R
@@ -13996,12 +13993,11 @@
fi
%posttrans
-test -f /var/run/texlive/run-update || exit 0
%if %{with zypper_posttrans}
test -z "$ZYPP_IS_RUNNING" || exit 0
%endif
+test -d /var/run/texlive || exit 0
VERBOSE=false %{_texmfdistdir}/texconfig/update || :
-rm -f /var/run/texlive/run-update
%files
%defattr(-,root,root,755)
@@ -24216,15 +24212,15 @@
%dir %attr(1755,root,root) %{_texmfvardir}/web2c/tex
%dir %attr(1755,root,root) %{_texmfvardir}/web2c/xetex
%dir %attr(1755,root,root) %{_texmfcache}
-%dir %attr(1775,%{nobody},%{texgrp}) %verify(not mode) %{_fontcache}
-%dir %attr(1775,%{nobody},%{texgrp}) %verify(not mode) %{_fontcache}/pk
-%dir %attr(1775,%{nobody},%{texgrp}) %verify(not mode) %{_fontcache}/source
-%dir %attr(1775,%{nobody},%{texgrp}) %verify(not mode) %{_fontcache}/tfm
+%dir %attr(1775,%{texusr},%{texgrp}) %verify(not mode) %{_fontcache}
+%dir %attr(1775,%{texusr},%{texgrp}) %verify(not mode) %{_fontcache}/pk
+%dir %attr(1775,%{texusr},%{texgrp}) %verify(not mode) %{_fontcache}/source
+%dir %attr(1775,%{texusr},%{texgrp}) %verify(not mode) %{_fontcache}/tfm
%dir %{_texmfvardir}/md5
%verify(link) %{_texmfmaindir}/ls-R
%verify(link) %{_texmfdistdir}/ls-R
%ghost %config(noreplace) %attr(0664,root,%{texgrp}) %verify(not md5 size
mtime mode) %{_texmfconfdir}/ls-R
-%ghost %config(noreplace) %attr(0664,root,%{texgrp}) %verify(not md5 size
mtime mode) %{_fontcache}/ls-R
+%ghost %config(noreplace) %attr(0664,%{texusr},%{texgrp}) %verify(not md5 size
mtime mode) %{_fontcache}/ls-R
%ghost %config(noreplace) %attr(0664,root,%{texgrp}) %verify(not md5 size
mtime mode) %{_texmfvardir}/ls-R
%ghost %config(noreplace) %attr(0664,root,%{texgrp}) %verify(not md5 size
mtime mode) %{_texmfvardir}/dist/ls-R
%ghost %config(noreplace) %attr(0664,root,%{texgrp}) %verify(not md5 size
mtime mode) %{_texmfvardir}/main/ls-R
++++++ rc.config.texlive ++++++
--- /var/tmp/diff_new_pack.EulXGM/_old 2020-06-11 16:19:10.662928202 +0200
+++ /var/tmp/diff_new_pack.EulXGM/_new 2020-06-11 16:19:10.662928202 +0200
@@ -10,3 +10,16 @@
# will be cleared from fonts not used in the last 20 days.
#
CLEAR_TEXMF_FONTS="no"
+
+## Type: yesno
+## Default: no
+## Command:
+#
+# If above is set to yes and there are users which are member
+# of the group mktex then it might be that users have set an
+# umask which does not allow the user mktex to clear the cache
+# below /var/cache/fonts/. Setting HAVE_MKTEX_MEMBERS to "yes"
+# will allow the cron job to change the group mask hence allow
+# to clear older data.
+#
+HAVE_MKTEX_MEMBERS="no"
++++++ texlive.cron ++++++
--- /var/tmp/diff_new_pack.EulXGM/_old 2020-06-11 16:19:10.706928322 +0200
+++ /var/tmp/diff_new_pack.EulXGM/_new 2020-06-11 16:19:10.706928322 +0200
@@ -14,46 +14,63 @@
type -f -p setpriv >& /dev/null || exit 0
type -f -p sort >& /dev/null || exit 0
type -f -p rm >& /dev/null || exit 0
+type -f -p seq >& /dev/null || exit 0
+type -f -p getent >& /dev/null || exit 0
test -r /etc/sysconfig/texlive && . /etc/sysconfig/texlive
OLDIFS=$IFS; IFS=':;'
VARTEXFONTS="$(kpsewhich --expand-var '$VARTEXFONTS' 2> /dev/null)"
IFS=$OLDIFS
-uids=$(find $VARTEXFONTS/ \( -not -type d \) -printf '%U\n' | sort -u)
-
-if test "$CLEAR_TEXMF_FONTS" = "yes" -a -n "$VARTEXFONTS"
+if test -n "$VARTEXFONTS" -a "$HAVE_MKTEX_MEMBERS" = yes
then
- for uid in ${uids[@]}
+ IFS=:
+ users=($(getent group mktex))
+ IFS=$OLDIFS
+ typeset -i i
+ typeset -i u=${#users[*]}
+ let u--
+ for p in $VARTEXFONTS
do
- for p in $VARTEXFONTS
+ test -d $p || continue
+ for i in $(seq 3 $u)
do
- test -d $p/pk/ && find $p/pk/ \( -not -type d -and -atime
+20 -and -uid $uid \) -print0
- test -d $p/tfm/ && find $p/tfm/ \( -not -type d -and -atime
+60 -and -uid $uid \) -print0
- test -d $p/source/ && find $p/source/ \( -not -type d -and -atime
+60 -and -uid $uid \) -print0
- done > >(exec -a xargs xargs -r -L100 -0 -- setpriv --reuid $uid
--regid mktex --init-groups rm -f)
+ find -P $p \( \( -type f -and -not -type l \) -and -user
${users[$i]} \) -print0 | \
+ xargs -r -L100 -0 -- setpriv --reuid ${users[$i]} --regid mktex
--init-groups chmod g+rw
+ find -P $p \( \( -type d -and -not -type l \) -and -user
${users[$i]} \) -print0 | \
+ xargs -r -L100 -0 -- setpriv --reuid ${users[$i]} --regid mktex
--init-groups chmod g+rwsx
+ done
done
+ unset i u
+fi
+
+if test "$CLEAR_TEXMF_FONTS" = "yes" -a -n "$VARTEXFONTS"
+then
+ for p in $VARTEXFONTS
+ do
+ test -d $p/pk && find -P $p/pk \( -not -type d -and
-atime +20 \) -print0
+ test -d $p/tfm && find -P $p/tfm \( -not -type d -and
-atime +60 \) -print0
+ test -d $p/source && find -P $p/source \( -not -type d -and
-atime +60 \) -print0
+ done > >(exec -a xargs xargs -r -L100 -0 -- setpriv --reuid mktex --regid
mktex --init-groups rm -f)
fi
if test -n "$VARTEXFONTS"
then
- for uid in ${uids[@]}
+ for p in $VARTEXFONTS
do
- for p in $VARTEXFONTS
- do
- test -d $p/pk/ && find $p/pk/ \( -not -type d -and -not
-name '*.*pk' -uid $uid \) -print0
- test -d $p/tfm/ && find $p/tfm/ \( -not -type d -and -not
-name '*.tfm' -uid $uid \) -print0
- test -d $p/source/ && find $p/source/ \( -not -type d -and -not
-name '*.mf' -uid $uid \) -print0
- test -d $p/ && find $p/ \( -not -type d -and -path
'*/[^[:alnum:]]*' -uid $uid \) -print0
- done > >(exec -a xargs xargs -r -L100 -0 -- setpriv --reuid $uid
--regid mktex --init-groups rm -vf)
- for p in $VARTEXFONTS
- do
- test -d $p/ && find $p/ -depth \( -type d -and -path
'*/[^[:alnum:]]*' -and -uid $uid \) -print0
- done > >(exec -a xargs xargs -r -L100 -0 -- setpriv --reuid $uid
--regid mktex --init-groups rm -vfr)
- done
+ test -d $p/pk && find -P $p/pk \( -not -type d -and
-not -name '*.*pk' \) -print0
+ test -d $p/tfm && find -P $p/tfm \( -not -type d -and
-not -name '*.tfm' \) -print0
+ test -d $p/source && find -P $p/source \( -not -type d -and
-not -name '*.mf' \) -print0
+ test -d $p && find -P $p \( -not -type d -and
-path '*/[^[:alnum:]]*' \) -print0
+ done > >(exec -a xargs xargs -r -L100 -0 -- setpriv --reuid mktex --regid
mktex --init-groups rm -vf)
+ for p in $VARTEXFONTS
+ do
+ test -d $p && find -P $p -depth \( -type d -and -path '*/[^[:alnum:]]*'
\) -print0
+ done > >(exec -a xargs xargs -r -L100 -0 -- setpriv --reuid mktex --regid
mktex --init-groups rm -vfr)
fi
#
# Update the ls-R's
+# Note that this is done as user mktex
#
mktexlsr > /dev/null
++++++ update.texlive ++++++
--- /var/tmp/diff_new_pack.EulXGM/_old 2020-06-11 16:19:10.742928419 +0200
+++ /var/tmp/diff_new_pack.EulXGM/_new 2020-06-11 16:19:10.746928430 +0200
@@ -50,12 +50,13 @@
unset ${!LC_*}
LANG=POSIX
MKTEXLSR=true
-export LANG MKTEXLSR
+UPDMAPSYNC=yes
+export LANG MKTEXLSR UPDMAPSYNC
#
# Sanity check
#
-size=$(find /etc/texmf/ls-R -follow -printf '%s')
+size=$(find /etc/texmf/ls-R -follow -printf '%s' || echo 0)
test $size -lt 80 && > /var/run/texlive/run-mktexlsr
rotator ()
