By Martin Väth, vaeth@mathematik.uni-wuerzburg.de

CVE-2008-5743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5743):
  pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with
  a predictable name, which allows local users to overwrite arbitrary
  files via a symlink attack.


Actually there is a much more severe security issue in pdfjam:
In the default setting it puts the current directory into PATH (because
pdflatex has an empty dirname which is put at the beginning of PATH).

The attached patch fixes both security issues, for simplicity requiring that
"mktemp -d" is available and working.

In addition, it replaces the non-POSIX "source" by ".": Since the scripts are
#!/bin/sh and not #!/bin/bash the should be at least POSIX-conformal (these
scripts would otherwise break in gentoo if /bin/sh is a symlink to dash).

Name:      CVE-2008-5843
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5843
Published: 2009-01-05
Severity:  Medium
Description:

Multiple untrusted search path vulnerabilities in pdfjam allow local
users to gain privileges via a Trojan horse program in (1) the current
working directory or (2) /var/tmp, related to the (a) pdf90, (b)
pdfjoin, and (c) pdfnup scripts.



https://bugs.gentoo.org/show_bug.cgi?id=252734

--- scripts/pdf90
+++ scripts/pdf90
@@ -43,12 +43,12 @@
 for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
 do if test -f $d/pdfnup.conf; then
    echo "Reading site configuration from $d/pdfnup.conf"
-   source $d/pdfnup.conf
+   . $d/pdfnup.conf
    fi 
 done
 if test -f ~/.pdfnup.conf; then 
    echo "Reading user defaults from ~/.pdfnup.conf";
-   source ~/.pdfnup.conf; 
+   . ~/.pdfnup.conf; 
 fi
 #######################################################################
 ##
@@ -71,8 +71,8 @@
 ##
 ##  Check that necessary LaTeX packages are installed
 ##
-PATH=`dirname "$pdflatex"`:$PATH
-export PATH
+modifyPath="${pdflatex%/*}"
+[ -n "$modifyPath" ] && export PATH="$modifyPath:$PATH"
 case `kpsewhich pdfpages.sty` in
 	"") echo "pdf90: pdfpages.sty not installed"; exit 1;;
 esac
@@ -136,6 +136,19 @@
 ##
 ##  That's the arguments done.
 ##
+
+mkTempDir=''
+trap 'test -n "$mkTempDir" && test -d "$mkTempDir" && \
+	rm -rf -- "$mkTempDir" && mkTempDir=""; \
+	trap - EXIT HUP INT TERM' EXIT HUP INT TERM
+if ! command -v mktemp >/dev/null 2>&1 || \
+	! mkTempDir=`mktemp -d -- "$tempfileDir/pdf90.XXXXXX"`
+then
+	echo "pdf90: cannot create temporary directory"
+	exit 2
+fi
+tempfileDir=$mkTempDir
+
 ##
 ##  Now work on the input file (or files in turn)
 ##
--- scripts/pdfjoin
+++ scripts/pdfjoin
@@ -50,12 +50,12 @@
 for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
 do if test -f $d/pdfnup.conf; then
    echo "Reading site configuration from $d/pdfnup.conf"
-   source $d/pdfnup.conf
+   . $d/pdfnup.conf
    fi 
 done
 if test -f ~/.pdfnup.conf; then 
    echo "Reading user defaults from ~/.pdfnup.conf";
-   source ~/.pdfnup.conf; 
+   . ~/.pdfnup.conf; 
 fi
 #######################################################################
 ##
@@ -99,8 +99,8 @@
 ##
 ##  Check that necessary LaTeX packages are installed
 ##
-PATH=`dirname "$pdflatex"`:$PATH
-export PATH
+modifyPath="${pdflatex%/*}"
+[ -n "$modifyPath" ] && export PATH="$modifyPath:$PATH"
 case `kpsewhich pdfpages.sty` in
 	"") echo "pdfjoin: pdfpages.sty not installed"; exit 1;;
 esac
@@ -171,6 +171,19 @@
 ##
 ##  That's the arguments done.
 ##
+
+mkTempDir=''
+trap 'test -n "$mkTempDir" && test -d "$mkTempDir" && \
+	rm -rf -- "$mkTempDir" && mkTempDir=""; \
+	trap - EXIT HUP INT TERM' EXIT HUP INT TERM
+if ! command -v mktemp >/dev/null 2>&1 || \
+	! mkTempDir=`mktemp -d -- "$tempfileDir/pdfjoin.XXXXXX"`
+then
+	echo "pdfjoin: cannot create temporary directory"
+	exit 2
+fi
+tempfileDir=$mkTempDir
+
 ##
 ##  Now work on the input files
 ##
--- scripts/pdfnup
+++ scripts/pdfnup
@@ -57,12 +57,12 @@
 for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
 do if test -f $d/pdfnup.conf; then
      echo "Reading site configuration from $d/pdfnup.conf"
-     source $d/pdfnup.conf
+     . $d/pdfnup.conf
    fi 
 done
 if test -f ~/.pdfnup.conf; then 
    echo "Reading user defaults from ~/.pdfnup.conf";
-   source ~/.pdfnup.conf; 
+   . ~/.pdfnup.conf; 
 fi
 #######################################################################
 ##
@@ -134,8 +134,8 @@
 ##
 ##  Check that necessary LaTeX packages are installed
 ##
-PATH=`dirname "$pdflatex"`:$PATH
-export PATH
+modifyPath="${pdflatex%/*}"
+[ -n "$modifyPath" ] && export PATH="$modifyPath:$PATH"
 case `kpsewhich pdfpages.sty` in
 	"") echo "pdfnup: pdfpages.sty not installed"; exit 1;;
 esac
@@ -232,6 +232,20 @@
 ##
 ##  That's the arguments done.
 ##
+
+mkTempDir=''
+trap 'test -n "$mkTempDir" && test -d "$mkTempDir" && \
+	rm -rf -- "$mkTempDir" && mkTempDir=""; \
+	trap - EXIT HUP INT TERM' EXIT HUP INT TERM
+if ! command -v mktemp >/dev/null 2>&1 || \
+	! mkTempDir=`mktemp -d -- "$tempfileDir/pdfnup.XXXXXX"`
+then
+	echo "pdfnup: cannot create temporary directory"
+	exit 2
+fi
+tempfileDir=$mkTempDir
+
+##
 ##  Next sort out paper orientation, if not specified
 ##
 x=`echo $nup | sed 's/..$//'`