Bugzilla – Bug 920172
VUL-0: CVE-2015-0296: texlive: texlive rpm scriptlet allows unprivileged user to delete arbitrary files
Last modified: 2015-03-02 10:16:01 UTC
via oss-sec (I think we use a different method and do not try to clean home directories...) A flaw was found in the pre-install script of texlive-base package derived from texlive package. This flaw allows unprivileged user to remove arbitrary files on the system. ~ rpm -qa texlive-base --scripts preinstall scriptlet (using /bin/sh): rm -rf /usr/share/texlive/texmf-var rm -rf /var/lib/texmf/* # Following script in the preinstall scriplet allows attacker to remove arbitrary files on the systems for i in `find /home/*/.texlive* -type d -prune`; do find $i -name *.fmt -type f | xargs rm -f > /dev/null 2>&1 done ... Attacker can create a malicious file in his $HOME directory that would trigger file removal and wait for the texlive-base package to be updated by administrator, as when package will be updated it would run preinstall scriplet which would then run malicious file in attacker $HOME directory as privileged user. Reproducer and more information: https://bugzilla.redhat.com/show_bug.cgi?id=1099238 References: https://bugzilla.redhat.com/show_bug.cgi?id=1197082 http://seclists.org/oss-sec/2015/q1/703
Werner, can you please check that we do not use /home cleaning?
IMHO we are not affected (beside this I would not use hardcoded /home/): werner/texlive> find -name '*.spec' | xargs sed -rn '/^%pre([[:blank:]])|^%pre$/,/^%/p' %pre ## POST %post %pre if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post %pre kpathsea-bin if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post kpathsea-bin %pre kpathsea-bin if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post kpathsea-bin %pre kpathsea-bin if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post kpathsea-bin %pre if ! %{_bindir}/getent group %{texgrp} > /dev/null 2>&1 ; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post %pre if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post %pre if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post %pre kpathsea-bin if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post kpathsea-bin %pre kpathsea-bin if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post kpathsea-bin %pre kpathsea-bin if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post kpathsea-bin %pre if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post %pre if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post %pre kpathsea-bin if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post kpathsea-bin %pre kpathsea-bin if test "$1" = 1 -a -z "$(%{_bindir}/getent group %{texgrp} 2>/dev/null)"; then %{_sbindir}/groupadd -r %{?texgid:-g %texgid} %{texgrp} fi %post kpathsea-bin