1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
By Martin Väth, vaeth@mathematik.uni-wuerzburg.de
CVE-2008-5743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5743):
pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with
a predictable name, which allows local users to overwrite arbitrary
files via a symlink attack.
Actually there is a much more severe security issue in pdfjam:
In the default setting it puts the current directory into PATH (because
pdflatex has an empty dirname which is put at the beginning of PATH).
The attached patch fixes both security issues, for simplicity requiring that
"mktemp -d" is available and working.
In addition, it replaces the non-POSIX "source" by ".": Since the scripts are
#!/bin/sh and not #!/bin/bash the should be at least POSIX-conformal (these
scripts would otherwise break in gentoo if /bin/sh is a symlink to dash).
Name: CVE-2008-5843
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5843
Published: 2009-01-05
Severity: Medium
Description:
Multiple untrusted search path vulnerabilities in pdfjam allow local
users to gain privileges via a Trojan horse program in (1) the current
working directory or (2) /var/tmp, related to the (a) pdf90, (b)
pdfjoin, and (c) pdfnup scripts.
https://bugs.gentoo.org/show_bug.cgi?id=252734
--- scripts/pdf90
+++ scripts/pdf90
@@ -43,12 +43,12 @@
for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
do if test -f $d/pdfnup.conf; then
echo "Reading site configuration from $d/pdfnup.conf"
- source $d/pdfnup.conf
+ . $d/pdfnup.conf
fi
done
if test -f ~/.pdfnup.conf; then
echo "Reading user defaults from ~/.pdfnup.conf";
- source ~/.pdfnup.conf;
+ . ~/.pdfnup.conf;
fi
#######################################################################
##
@@ -71,8 +71,8 @@
##
## Check that necessary LaTeX packages are installed
##
-PATH=`dirname "$pdflatex"`:$PATH
-export PATH
+modifyPath="${pdflatex%/*}"
+[ -n "$modifyPath" ] && export PATH="$modifyPath:$PATH"
case `kpsewhich pdfpages.sty` in
"") echo "pdf90: pdfpages.sty not installed"; exit 1;;
esac
@@ -136,6 +136,19 @@
##
## That's the arguments done.
##
+
+mkTempDir=''
+trap 'test -n "$mkTempDir" && test -d "$mkTempDir" && \
+ rm -rf -- "$mkTempDir" && mkTempDir=""; \
+ trap - EXIT HUP INT TERM' EXIT HUP INT TERM
+if ! command -v mktemp >/dev/null 2>&1 || \
+ ! mkTempDir=`mktemp -d -- "$tempfileDir/pdf90.XXXXXX"`
+then
+ echo "pdf90: cannot create temporary directory"
+ exit 2
+fi
+tempfileDir=$mkTempDir
+
##
## Now work on the input file (or files in turn)
##
--- scripts/pdfjoin
+++ scripts/pdfjoin
@@ -50,12 +50,12 @@
for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
do if test -f $d/pdfnup.conf; then
echo "Reading site configuration from $d/pdfnup.conf"
- source $d/pdfnup.conf
+ . $d/pdfnup.conf
fi
done
if test -f ~/.pdfnup.conf; then
echo "Reading user defaults from ~/.pdfnup.conf";
- source ~/.pdfnup.conf;
+ . ~/.pdfnup.conf;
fi
#######################################################################
##
@@ -99,8 +99,8 @@
##
## Check that necessary LaTeX packages are installed
##
-PATH=`dirname "$pdflatex"`:$PATH
-export PATH
+modifyPath="${pdflatex%/*}"
+[ -n "$modifyPath" ] && export PATH="$modifyPath:$PATH"
case `kpsewhich pdfpages.sty` in
"") echo "pdfjoin: pdfpages.sty not installed"; exit 1;;
esac
@@ -171,6 +171,19 @@
##
## That's the arguments done.
##
+
+mkTempDir=''
+trap 'test -n "$mkTempDir" && test -d "$mkTempDir" && \
+ rm -rf -- "$mkTempDir" && mkTempDir=""; \
+ trap - EXIT HUP INT TERM' EXIT HUP INT TERM
+if ! command -v mktemp >/dev/null 2>&1 || \
+ ! mkTempDir=`mktemp -d -- "$tempfileDir/pdfjoin.XXXXXX"`
+then
+ echo "pdfjoin: cannot create temporary directory"
+ exit 2
+fi
+tempfileDir=$mkTempDir
+
##
## Now work on the input files
##
--- scripts/pdfnup
+++ scripts/pdfnup
@@ -57,12 +57,12 @@
for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
do if test -f $d/pdfnup.conf; then
echo "Reading site configuration from $d/pdfnup.conf"
- source $d/pdfnup.conf
+ . $d/pdfnup.conf
fi
done
if test -f ~/.pdfnup.conf; then
echo "Reading user defaults from ~/.pdfnup.conf";
- source ~/.pdfnup.conf;
+ . ~/.pdfnup.conf;
fi
#######################################################################
##
@@ -134,8 +134,8 @@
##
## Check that necessary LaTeX packages are installed
##
-PATH=`dirname "$pdflatex"`:$PATH
-export PATH
+modifyPath="${pdflatex%/*}"
+[ -n "$modifyPath" ] && export PATH="$modifyPath:$PATH"
case `kpsewhich pdfpages.sty` in
"") echo "pdfnup: pdfpages.sty not installed"; exit 1;;
esac
@@ -232,6 +232,20 @@
##
## That's the arguments done.
##
+
+mkTempDir=''
+trap 'test -n "$mkTempDir" && test -d "$mkTempDir" && \
+ rm -rf -- "$mkTempDir" && mkTempDir=""; \
+ trap - EXIT HUP INT TERM' EXIT HUP INT TERM
+if ! command -v mktemp >/dev/null 2>&1 || \
+ ! mkTempDir=`mktemp -d -- "$tempfileDir/pdfnup.XXXXXX"`
+then
+ echo "pdfnup: cannot create temporary directory"
+ exit 2
+fi
+tempfileDir=$mkTempDir
+
+##
## Next sort out paper orientation, if not specified
##
x=`echo $nup | sed 's/..$//'`
|