CVE-2015-5701

Publication date 25 August 2017

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack. NOTE: this vulnerability exists due to the reversion of a fix of CVE-2015-5700.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
texlive-bin	15.04 vivid	Not affected
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not affected

How can I get the fixes?
What do statuses mean?

Notes

seth-arnold

Debian/Ubuntu never reintroduced this; mktexlsr-use-mktemp patch

Severity score breakdown

Parameter	Value
Base score	6.1 · Medium
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	High
Availability impact	None
Vector	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=36626&r2=36855
https://www.cve.org/CVERecord?id=CVE-2015-5701