Multiple vulnerabilities in texlive
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2015-5700 CVE-2015-5701 |
| CWE-ID | CWE-59 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
texlive Client/Desktop applications / Other client software |
| Vendor | TeX Users Group |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Link following
EUVDB-ID: #VU38424
Risk: Low
CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-5700
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to read and manipulate data.
mktexlsr revision 22855 through revision 36625 as packaged in texlive allows local users to write to arbitrary files via a symlink attack.
MitigationInstall update from vendor's website.
Vulnerable software versionstexlive: 20100722 - 20140525
CPE2.3- cpe:2.3:a:tex_users_group:texlive:20100722:*:*:*:*:*:*:*
- cpe:2.3:a:tex_users_group:texlive:20110705:*:*:*:*:*:*:*
- cpe:2.3:a:tex_users_group:texlive:20120701:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2015/07/30/6
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139
https://bugzilla.redhat.com/show_bug.cgi?id=1181167
https://usn.ubuntu.com/3788-1/
https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885
https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?view=log
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Link following
EUVDB-ID: #VU38425
Risk: Low
CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-5701
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to read and manipulate data.
mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack. NOTE: this vulnerability exists due to the reversion of a fix of CVE-2015-5700.
MitigationInstall update from vendor's website.
Vulnerable software versionstexlive: 20100722 - 20140525
CPE2.3- cpe:2.3:a:tex_users_group:texlive:20100722:*:*:*:*:*:*:*
- cpe:2.3:a:tex_users_group:texlive:20110705:*:*:*:*:*:*:*
- cpe:2.3:a:tex_users_group:texlive:20120701:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2015/07/30/6
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775139
https://bugzilla.redhat.com/show_bug.cgi?id=1181167
https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885
https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?view=log
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
