Bug#775139: mktexlsr: insecure use of /tmp
On Tue, Jan 13, 2015 at 08:24:48AM +0900, Norbert Preining wrote: Dear Jakub, treefile=`mktemp --tmpdir mktexlsrtrees.XX` || exit 1 Thanks, that is fine. I have build, tested, and uploaded new packages. In 4 days or so I will ask for a freeze exception. You don't need to wait that long if you don't want to - you can ask for an exception immediately following an upload. Julian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775139: mktexlsr: insecure use of /tmp
Hi Julian, You don't need to wait that long if you don't want to - you can ask for an exception immediately following an upload. Yes, but I want to make sure that all rebuilds have worked and that no new problems arise ;-) Not very likely, but still a chacne. Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live Debian Developer GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775139: mktexlsr: insecure use of /tmp
treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp [...] Please use mktemp(1) for creating temporary files. Is this fine? --- texlive-bin.orig/texk/kpathsea/mktexlsr +++ texlive-bin/texk/kpathsea/mktexlsr @@ -73,7 +73,7 @@ dry_run=false trees= -treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp +treefile=`mktemp -q --tmpdir mktexlsrtrees.XX` trap 'cd /; rm -f $treefile; test -z $db_dir_tmp || rm -rf $db_dir_tmp; exit' 0 1 2 3 7 13 15 ? Should I upload this to unstable now for jhessie? Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live Debian Developer GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775139: mktexlsr: insecure use of /tmp
Hi Norbert! Thanks for the quick reply. * Norbert Preining prein...@logic.at, 2015-01-12, 22:18: treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp [...] Please use mktemp(1) for creating temporary files. Is this fine? --- texlive-bin.orig/texk/kpathsea/mktexlsr +++ texlive-bin/texk/kpathsea/mktexlsr @@ -73,7 +73,7 @@ dry_run=false trees= -treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp +treefile=`mktemp -q --tmpdir mktexlsrtrees.XX` It's mostly fine. Why silence errors from mktemp(1)? You get rather mysterious errors if creating the temporary file fails: $ TMPDIR=/moo mktexlsr . /usr/bin/mktexlsr: 113: /usr/bin/mktexlsr: cannot create : Directory nonexistent mktexlsr: : could not append to arg file, goodbye. mktexlsr: /var/lib/texmf: directory not writable. Skipping... mktexlsr: /var/lib/texmf: directory not writable. Skipping... mktexlsr: /var/lib/texmf: directory not writable. Skipping... mktexlsr: Done. I'd suggest dropping -q, and making the script exit early if mktemp fails: treefile=`mktemp --tmpdir mktexlsrtrees.XX` || exit 1 With that change, the error message is clear: $ TMPDIR=/moo mktexlsr . mktemp: failed to create file via template ‘/moo/mktexlsrtrees.XX’: No such file or directory Should I upload this to unstable now for jhessie? Jessie RC policy[0] says that “any programs and scripts that create files in /tmp or other world writable directories must use a mechanism which fails if the file already exists”. So it's arguably RC for jessie. [0] https://release.debian.org/jessie/rc_policy.txt -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775139: mktexlsr: insecure use of /tmp
Dear Jakub, treefile=`mktemp --tmpdir mktexlsrtrees.XX` || exit 1 Thanks, that is fine. I have build, tested, and uploaded new packages. In 4 days or so I will ask for a freeze exception. All the best Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live Debian Developer GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775139: mktexlsr: insecure use of /tmp
Package: texlive-binaries Version: 2014.20140926.35254-4 Tags: security This is how mktexlsr uses temporary files (with boring parts snipped): treefile=${TMPDIR-/tmp}/mktexlsrtrees$$.tmp # ... while test $# -gt 0; do # ... (umask 077 if echo $1 $treefile; then :; else echo $progname: $treefile: could not append to arg file, goodbye. 2 exit 1 fi # ... done This is insecure because the filename is predictable and, more importantly, the program doesn't fail atomically if the file already exists. Please use mktemp(1) for creating temporary files. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org