mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack. NOTE: this vulnerability exists due to the reversion of a fix of CVE-2015-5700.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Texlive | Tug | 20100722 | 20100722 |
Texlive | Tug | 20140525 | 20140525 |
Texlive | Tug | 20130530 | 20130530 |
Texlive | Tug | 20120701 | 20120701 |
Texlive | Tug | 20110705 | 20110705 |