Bug#775139: mktexlsr: insecure use of /tmp

2015-01-13 Thread Julian Gilbey 
On Tue, Jan 13, 2015 at 08:24:48AM +0900, Norbert Preining wrote:
 Dear Jakub,
 
  treefile=`mktemp --tmpdir mktexlsrtrees.XX` || exit 1
 
 Thanks, that is fine. I have build, tested, and uploaded new packages.
 In 4 days or so I will ask for a freeze exception.

You don't need to wait that long if you don't want to - you can ask
for an exception immediately following an upload.

   Julian


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775139: mktexlsr: insecure use of /tmp

2015-01-13 Thread Norbert Preining 
Hi Julian,

 You don't need to wait that long if you don't want to - you can ask
 for an exception immediately following an upload.

Yes, but I want to make sure that all rebuilds have worked and that
no new problems arise ;-) Not very likely, but still a chacne.

Norbert


PREINING, Norbert   http://www.preining.info
JAIST, Japan TeX Live  Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0  ACF0 6CAC A448 860C DC13



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775139: mktexlsr: insecure use of /tmp

2015-01-12 Thread Norbert Preining 
 treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp
[...]
 Please use mktemp(1) for creating temporary files.

Is this fine?
--- texlive-bin.orig/texk/kpathsea/mktexlsr
+++ texlive-bin/texk/kpathsea/mktexlsr
@@ -73,7 +73,7 @@
 dry_run=false
 trees=

-treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp
+treefile=`mktemp -q --tmpdir mktexlsrtrees.XX`
 trap 'cd /; rm -f $treefile; test -z $db_dir_tmp || rm -rf $db_dir_tmp;
   exit' 0 1 2 3 7 13 15

?

Should I upload this to unstable now for jhessie?


Norbert


PREINING, Norbert   http://www.preining.info
JAIST, Japan TeX Live  Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0  ACF0 6CAC A448 860C DC13



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775139: mktexlsr: insecure use of /tmp

2015-01-12 Thread Jakub Wilk 

Hi Norbert!

Thanks for the quick reply.

* Norbert Preining prein...@logic.at, 2015-01-12, 22:18:

treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp
[...]
Please use mktemp(1) for creating temporary files.


Is this fine?
--- texlive-bin.orig/texk/kpathsea/mktexlsr
+++ texlive-bin/texk/kpathsea/mktexlsr
@@ -73,7 +73,7 @@
dry_run=false
trees=

-treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp
+treefile=`mktemp -q --tmpdir mktexlsrtrees.XX`


It's mostly fine.

Why silence errors from mktemp(1)? You get rather mysterious errors if 
creating the temporary file fails:


$ TMPDIR=/moo mktexlsr .
/usr/bin/mktexlsr: 113: /usr/bin/mktexlsr: cannot create : Directory nonexistent
mktexlsr: : could not append to arg file, goodbye.
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: /var/lib/texmf: directory not writable. Skipping...
mktexlsr: Done.


I'd suggest dropping -q, and making the script exit early if mktemp 
fails:


treefile=`mktemp --tmpdir mktexlsrtrees.XX` || exit 1

With that change, the error message is clear:

$ TMPDIR=/moo mktexlsr .
mktemp: failed to create file via template ‘/moo/mktexlsrtrees.XX’: No 
such file or directory



Should I upload this to unstable now for jhessie?


Jessie RC policy[0] says that “any programs and scripts that create 
files in /tmp or other world writable directories must use a mechanism 
which fails if the file already exists”. So it's arguably RC for jessie.



[0] https://release.debian.org/jessie/rc_policy.txt

--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775139: mktexlsr: insecure use of /tmp

2015-01-12 Thread Norbert Preining 
Dear Jakub,

 treefile=`mktemp --tmpdir mktexlsrtrees.XX` || exit 1

Thanks, that is fine. I have build, tested, and uploaded new packages.
In 4 days or so I will ask for a freeze exception.

All the best

Norbert


PREINING, Norbert   http://www.preining.info
JAIST, Japan TeX Live  Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0  ACF0 6CAC A448 860C DC13



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775139: mktexlsr: insecure use of /tmp

2015-01-11 Thread Jakub Wilk 

Package: texlive-binaries
Version: 2014.20140926.35254-4
Tags: security

This is how mktexlsr uses temporary files (with boring parts snipped):

treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp
# ...
while test $# -gt 0; do
   # ...
   (umask 077
   if echo $1 $treefile; then :; else
 echo $progname: $treefile: could not append to arg file, goodbye. 2
 exit 1
   fi
   # ...
done


This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 
exists.


Please use mktemp(1) for creating temporary files.

--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org