Vigil@nce - TeX Live: file corruption via /tmp/mktexlsrtrees.tmp
May 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a symbolic link named
/tmp/mktexlsrtrees.tmp, in order to alter the pointed file, with
privileges of TeX Live.
– Impacted products: Fedora
– Severity: 1/4
– Creation date: 13/05/2015
DESCRIPTION OF THE VULNERABILITY
The TeX Live product uses a temporary file named
/tmp/mktexlsrtrees.tmp.
However, when the file is opened, the program does not check if it
is an existing symbolic link. The file pointed by the link is thus
opened with privileges of the program.
Moreover, the file name is predictable, and is located in a
publicly writable directory, so the attacker can create the
symbolic link before its usage.
A local attacker can therefore create a symbolic link named
/tmp/mktexlsrtrees.tmp, in order to alter the pointed file, with
privileges of TeX Live.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/TeX-Live-file-corruption-via-tmp-mktexlsrtrees-tmp-16900