FreeBSD Security Advisories
2006-Jan-11 00:20 UTC
FreeBSD Security Advisory FreeBSD-SA-06:01.texindex
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
============================================================================FreeBSD-SA-06:01.texindex
Security Advisory
The FreeBSD Project
Topic: Texindex temporary file privilege escalation
Category: contrib
Module: texinfo
Announced: 2006-01-11
Credits: Frank Lichtenheld
Affects: All FreeBSD releases.
Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE)
2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9)
2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24)
2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE)
2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14)
2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20)
CVE Name: CAN-2005-3011
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
TeX is a document typesetting system which is popular in the mathematics,
physics, and computer science realms because of its ability to typeset
complex mathematical formulas. texindex(1) is a utility which is often
used to generate a sorted index of a TeX file.
II. Problem Description
The "sort_offline" function used by texindex(1) employs the
"maketempname"
function, which produces predictable file names and fails to validate that
the paths do not exist.
III. Impact
These predictable temporary file names are problematic because they
allow an attacker to take advantage of a race condition in order to
execute a symlink attack, which could enable them to overwrite files
on the system in the context of the user running the texindex(1) utility.
IV. Workaround
No workaround is available, but the problematic code is only executed
if the input file being processed is 500kB or more in length; as a
result, users working with documents of less than several hundred pages
are very unlikely to be affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.x and 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch.asc
[FreeBSD 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/texinfo/texindex
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
contrib/texinfo/util/texindex.c 1.1.1.3.2.4
RELENG_4_11
src/UPDATING 1.73.2.91.2.15
src/sys/conf/newvers.sh 1.44.2.39.2.18
contrib/texinfo/util/texindex.c 1.1.1.3.2.3.6.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.21
src/sys/conf/newvers.sh 1.44.2.34.2.22
contrib/texinfo/util/texindex.c 1.1.1.3.2.3.4.1
RELENG_5
contrib/texinfo/util/texindex.c 1.1.1.7.4.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.18
src/sys/conf/newvers.sh 1.62.2.18.2.14
contrib/texinfo/util/texindex.c 1.1.1.7.8.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.27
src/sys/conf/newvers.sh 1.62.2.15.2.29
contrib/texinfo/util/texindex.c 1.1.1.7.6.1
RELENG_6
contrib/texinfo/util/texindex.c 1.1.1.8.2.1
RELENG_6_0
src/UPDATING 1.416.2.3.2.7
src/sys/conf/newvers.sh 1.69.2.8.2.3
contrib/texinfo/util/texindex.c 1.1.1.8.4.1
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:01.texindex.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDxL4PFdaIBMps37IRAoJSAJ9kEVz5knEPcpUDw4psmKpbBjFH8wCfa7mq
u+tT93VL13dZm8/9WCMU51k=z4va
-----END PGP SIGNATURE-----
-----Original Message----- From: FreeBSD Security Advisories <security-advisories@freebsd.org> To: FreeBSD Security Advisories <security-advisories@freebsd.org> Date: Wed, 11 Jan 2006 08:19:04 GMT Subject: FreeBSD Security Advisory FreeBSD-SA-06:01.texindex> > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/gnu/usr.bin/texinfo/texindex > # make obj && make depend && make && make installdoes not compile on 5.4-RELEASE make obj && make depend && make && make install make: don't know how to make /usr/src/gnu/usr.bin/texinfo/texindex/../libtxi/libtxi.a. Stop root@serv.slavcred.ru [ttyp1] /usr/src/gnu/usr.bin/texinfo/texindex make clean rm -f texindex texindex.o texindex.1.gz texindex.1.cat.gz root@serv.slavcred.ru [ttyp1] /usr/src/gnu/usr.bin/texinfo/texindex make obj && make depend && make && make install cc -O -pipe -march=pentium4 -DHAVE_CONFIG_H -DLOCALEDIR=\"/usr/share/locale\" -I/usr/src/gnu/usr.bin/texinfo/texindex/../../../../contrib/texinfo -I/usr/src/gnu/usr.bin/texinfo/texindex/../../../../contrib/texinfo/lib -c /usr/src/gnu/usr.bin/texinfo/texindex/../../../../contrib/texinfo/util/texindex.c make: don't know how to make /usr/src/gnu/usr.bin/texinfo/texindex/../libtxi/libtxi.a. Stop uname -a FreeBSD serv.*.ru 5.4-RELEASE-p3 FreeBSD 5.4-RELEASE-p3 #0: Mon Jul 4 19:06:03 MSD 2005 root@serv.*.ru:/usr/obj/usr/src/sys/9 i386> RELENG_5_4 > src/UPDATING 1.342.2.24.2.18 > src/sys/conf/newvers.sh 1.62.2.18.2.14 > contrib/texinfo/util/texindex.c 1.1.1.7.8.1head -n 2 /usr/src/contrib/texinfo/util/texindex.c /* texindex -- sort TeX index dribble output into an actual index. $Id: texindex.c,v 1.9 2003/05/19 13:10:59 karl Exp $
Richard Kojedzinszky
2006-Jan-12 04:01 UTC
FreeBSD Security Advisory FreeBSD-SA-06:01.texindex
Yes, my clock is right. I have no idea what am i doing wrong. If someone would confirm that the sources compile well, than I will try to find the bug in my system. regards, Kojedzinszky Richard TvNetWork Rt. E-mail: krichy@tvnetwork.hu PGP: 0x24E79141 Fingerprint = 6847 ECFF EF58 0C09 18A5 16CF 270F 0C6F 24E7 9141 On Thu, 12 Jan 2006, Christoph Schug wrote:> On Thu, Jan 12, 2006, Richard Kojedzinszky wrote: > >> I ran into the same trouble, but i decided to cvsup my sources, and try to >> rebuild all, but that also failed. > > Can you check your system clock is correct? I had sames strange build > results in the past when my system time drifted several hours after my > NTP server died without notice. > > -cs >
-----Original Message----- From: Richard Kojedzinszky <krichy@tvnetwork.hu> To: Christoph Schug <chris+freebsd-security@schug.net> Date: Thu, 12 Jan 2006 12:55:51 +0100 (CET) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:01.texindex> > > Yes, my clock is right. I have no idea what am i doing wrong. If someone > would confirm that the sources compile well, than I will try to find the > bug in my system. >try following command: rm -R /usr/obj/* && cd /usr/src/gnu/usr.bin/texinfo/libtxi && make clean && make obj && make depend && make && cd /usr/src/gnu/usr.bin/texinfo/texindex&& make clean && make obj && make depend && make && make install for me works fine.
Simon L. Nielsen
2006-Jan-12 06:08 UTC
FreeBSD Security Advisory FreeBSD-SA-06:01.texindex
On 2006.01.12 12:55:51 +0100, Richard Kojedzinszky wrote:> On Thu, 12 Jan 2006, Christoph Schug wrote: > >On Thu, Jan 12, 2006, Richard Kojedzinszky wrote: > >>I ran into the same trouble, but i decided to cvsup my sources, and try to > >>rebuild all, but that also failed. > > > >Can you check your system clock is correct? I had sames strange build > >results in the past when my system time drifted several hours after my > >NTP server died without notice. > > Yes, my clock is right. I have no idea what am i doing wrong. If someone > would confirm that the sources compile well, than I will try to find the > bug in my system.My buildworld of RELENG_5_4 on my mailserver (which already runs 5.4, just for reference) just completed successfully, so it sounds like a local problem. -- Simon L. Nielsen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060112/1315055b/attachment.bin
Giorgos Keramidas
2006-Jan-13 04:59 UTC
FreeBSD Security Advisory FreeBSD-SA-06:01.texindex
On 2006-01-13 13:50, Peter Rosa <prosa@pro.sk> wrote:> > For the reference: > > make cleandir; make cleandir > > how could we list ALL possible options, defined in /usr/src, please? > Those listed above are both new options I never heard about before.They are already listed in the build(7) manpage.> BTW, what are ALL possible options in /usr/ports too, please?These are also listed in the ports(7) manpage.