Bug 32067

Summary: Upgrade texlive/texmf from mga8 to mga9 create a world writable log file
Product: Mageia Reporter: Raphael Gertz <mageia>
Component: RPM PackagesAssignee: Marc Krämer <mageia>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal    
Version: 9   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: texlive-20220321-6.mga9.src.rpm CVE:
Status comment:
Attachments: Log of /usr/bin/fmtutil-sys --no-strict --all

Description Raphael Gertz 2023-07-05 13:32:32 CEST 
Description of problem:

After upgrading from mga8, I get this world-writable file:
-rw-rw-rw- 1 root root 748 juin  26 06:13 /var/lib/texmf/web2c/metafont/mf.log

rpm -qa | grep -E '(20220321|tex)' | grep -v text
xmlto-notex-0.0.28-4.mga9
lib64kpathsea6-20220321-6.mga9
lib64ptexenc1-20220321-6.mga9
lib64texlua5-20220321-6.mga9
lib64synctex2-20220321-6.mga9
texlive-20220321-6.mga9
texlive-collection-basic-20220321-12.mga9
texlive-texmf-20220321-12.mga9
texlive-dist-20220321-12.mga9
xmltex-20020625-10.mga9
texi2html-5.0-13.mga9
texinfo-7.0.3-1.mga9

cat /var/lib/texmf/web2c/metafont/mf.log; echo EOF:
This is METAFONT, Version 2.71828182 (INIMF)  26 JUN 2023 06:13
(/usr/share/texmf-dist/web2c/cp227.tcx)
**mf.ini
(/usr/share/texmf-dist/metafont/config/mf.ini
(/usr/share/texmf-dist/metafont/base/plain.mf
Preloading the plain base, version 2.71: preliminaries,
 basic constants and mathematical macros,
 macros for converting from device-independent units to pixels,
 macros and tables for various modes of operation,
 macros for drawing and filling,
 macros for proof labels and rules,
 macros for character and font administration,
and a few last-minute items.)
! I can't find file `modes'.
l.3 \input modes
                
Please type another input file name: 
! Emergency stop.
l.3 \input modes
                
End of file on the terminal!


EOF

Version-Release number of selected component (if applicable):
texlive-20220321-6.mga9

How reproducible:
Not sure

Steps to Reproduce:
1. Upgrade from mga8 to mga9
Comment 1 Lewis Smith 2023-07-05 19:54:21 CEST 
Thank you for the report.
Unusually, I cannot find '/var/lib/texmf/web2c/metafont/mf.log' with urpmf, that is, what package it comes from.

Assigning this to Marc who is the main maintainer for texlive; please re-assign it if you wish.

Assignee: bugsquad => mageia

Comment 2 Raphael Gertz 2023-09-05 18:53:25 CEST 
After last update it happened again:
root     2794006  0.0  0.0  38924  5888 pts/0    S+   06:39   0:00  |           \_ urpmi --auto-select --no-recommends --media Core Release
root     2794007  1.9  1.1 221708 186148 pts/0   S+   06:39   0:10  |               \_ /usr/bin/perl /usr/sbin/urpmi --auto-select --no-recommends --media Core Release
root     2798437  0.0  0.0  31788  2944 pts/0    S+   06:46   0:00  |                   \_ /bin/sh /var/tmp/rpm-tmp.jYCHxM 0
root     2807770  0.6  0.1  48312 18816 pts/0    S+   06:47   0:00  |                       \_ /usr/bin/perl /usr/bin/fmtutil --sys --no-strict --all
root     2830073  0.0  0.0  31788  3072 pts/0    S+   06:47   0:00  |                           \_ sh -c luatex -ini   -jobname=luacsplain -progname=luacsplain -etex csplain.ini </dev/null
root     2830074  7.0  0.3  87088 48728 pts/0    D+   06:47   0:00  |                               \_ luatex -ini -jobname=luacsplain -progname=luacsplain -etex csplain.ini

Trigger script /var/tmp/rpm-tmp.jYCHxM content:
export TEXMF=/usr/share/texmf-dist
export TEXMFCNF=/usr/share/texmf-dist/web2c
export TEXMFCACHE=/var/lib/texmf
/usr/bin/texhash > /dev/null 2>&1
/usr/bin/updmap-sys --syncwithtrees --force > /dev/null 2>&1
/usr/bin/fmtutil-sys --no-strict --all > /dev/null 2>&1

Msec whining again:
Security Warning: change in World Writable permissions on files found :
-   Added World Writable permissions on files : /var/lib/texmf/web2c/metafont/mf.log

On my system running texhash:
# /usr/bin/texhash
texhash: Updating /etc/texmf/ls-R... 
texhash: Updating /usr/share/texmf-dist/ls-R... 
texhash: Updating /usr/share/texmf-local/ls-R... 
texhash: Updating /var/lib/texmf/ls-R... 
texhash: Done.

Seems we have a problem with updmap-sys which silently fails:
# /usr/bin/updmap-sys --syncwithtrees --force < /dev/null
updmap will read the following updmap.cfg files (in precedence order):
  /usr/share/texmf-dist/web2c/updmap.cfg
updmap may write changes to the following updmap.cfg file:
  /etc/texmf/web2c/updmap.cfg
Missing map files found, disabling
        morisawa.map (in /usr/share/texmf-dist/web2c/updmap.cfg)
        otf-cktx.map (in /usr/share/texmf-dist/web2c/updmap.cfg)
in /etc/texmf/web2c/updmap.cfg
Do you really want to continue (y/N)? answer =n=
Please fix manually before running updmap(-sys) again!

The running log of last command is too long, but it's him that generate world writeable log file :'(

# /usr/bin/fmtutil-sys --no-strict --all

# ls -l /var/lib/texmf/web2c/metafont/mf.log
-rw-rw-rw- 1 root root 747 sept.  5 18:48 /var/lib/texmf/web2c/metafont/mf.log
Comment 3 Raphael Gertz 2023-09-05 19:00:52 CEST 
Relevant log seems to comes from:
kpathsea: Running mktextfm upjisr-h
mktextfm: Running mf-nowin -progname=mf \mode:=ljfour; mag:=1; ; nonstopmode; input upjisr-h
This is METAFONT, Version 2.71828182 (TeX Live 2022/Mageia) (preloaded base=mf)

kpathsea: Running mktexfmt mf.base
mktexfmt: mktexfmt is using the following fmtutil.cnf files (in precedence order):
mktexfmt:   /usr/share/texmf-dist/web2c/fmtutil.cnf
mktexfmt: mktexfmt is using the following fmtutil.cnf file for writing changes:
mktexfmt:   /root/.texlive2022/texmf-config/web2c/fmtutil.cnf
mktexfmt [INFO]: writing formats under /var/lib/texmf/web2c
mktexfmt [INFO]: --- remaking mf with mf-nowin
mktexfmt: running `mf-nowin -ini   -jobname=mf -progname=mf -translate-file=cp227.tcx mf.ini' ...
This is METAFONT, Version 2.71828182 (TeX Live 2022/Mageia) (INIMF)
(/usr/share/texmf-dist/web2c/cp227.tcx)
(/usr/share/texmf-dist/metafont/config/mf.ini
(/usr/share/texmf-dist/metafont/base/plain.mf
Preloading the plain base, version 2.71: preliminaries,
 basic constants and mathematical macros,
 macros for converting from device-independent units to pixels,
 macros and tables for various modes of operation,
 macros for drawing and filling,
 macros for proof labels and rules,
 macros for character and font administration,
and a few last-minute items.)
kpathsea: Running mktexmf modes

! I can't find file `modes'.
l.3 \input modes
                
Please type another input file name: 
! Emergency stop.
l.3 \input modes
                
Transcript written on mf.log.
mktexfmt [INFO]: log file copied to: /var/lib/texmf/web2c/metafont/mf.log
mktexfmt [ERROR]: running `mf-nowin -ini   -jobname=mf -progname=mf -translate-file=cp227.tcx mf.ini >&2 </dev/null' return status: 1
mktexfmt [ERROR]: returning error due to option --strict
mktexfmt [INFO]: disabled formats: 5
mktexfmt [INFO]: not selected formats: 55
mktexfmt [INFO]: failed to build: 1 (mf-nowin/mf)
mktexfmt [INFO]: total formats: 61
mktexfmt [INFO]: exiting with status 1
Comment 4 Raphael Gertz 2023-09-05 19:02:30 CEST 
Created attachment 13972 [details]
Log of /usr/bin/fmtutil-sys --no-strict --all
Marc Krämer 2023-09-07 21:10:39 CEST

Version: Cauldron => 9

Comment 5 Marc Krämer 2023-09-07 21:12:34 CEST 
and what harm does this (really) do?
Comment 6 Marc Krämer 2023-09-07 21:29:11 CEST 
have you set up another umask for your root user?
I get this file here:
ll /var/lib/texmf/web2c/tex/tex.log
-rw-r--r-- 1 root root 2473 Jul 24 09:15 /var/lib/texmf/web2c/tex/tex.log

since this is a trivial copy operation, the umask of the user running this command is used.
Comment 7 Raphael Gertz 2023-09-09 07:10:16 CEST 
If these logs have no practical use, may you add to the trigger a cleanup:
find /var/lib/texmf/web2c -name '*.log' -exec rm -f {} \;

This way even when the 54 log files are generated on update they don't pollute the filetree with useless log and/or world writable file.

I don't follow your point on user's umask.

My user umask is 0002 and sudo/root one 0022, thus if the triggers was following the user umask it would not create a world writable file...
Comment 8 Marc Krämer 2023-09-10 10:47:40 CEST 
in my case they are not created world writeable.
They are generated and then copied to the target location by the tex script.
Since they are created everytime some of the tex update scripts run, this is not in "installation" issue. It is more or less a texlive issue.
Comment 9 Raphael Gertz 2023-09-10 21:35:32 CEST 
Ok, I retried by passing root just to be sure with:
su -

Same result world writeable file.

To help reproduce, I placed the package list, modified files states and copy of modified /usr/share/texmf-dist/web2c/updmap.cfg file there:
https://rapsys.eu/mageia/texlive/
(This way I may remove them when the bug is fixed)

Do you need anything else to reproduce ?
Comment 10 Raphael Gertz 2023-09-11 00:41:58 CEST 
It looks like the bug happen when this package is not installed:
texinfo-tex-7.0.3-1.mga9.x86_64

With texinfo-tex installed, no world-writeable log file, without this log is world-writeable:
/var/lib/texmf/web2c/metafont/mf.log

Maybe you may add it as required for the update trigger to fix the problem ?