CVE-2004-1894

Vulnerability

TEXutil, a Perl script included with ConTEXt, contains a symlink vulnerability when executed with the --silent option. Under this option, the script redirects all standard output to a hardcoded log file named texutil.log in the current directory, as seen in the code snippet $ProgramLog = "texutil.log" ; from the RedirectTerminal subroutine [1]. The script does not check whether texutil.log is a symbolic link before writing, allowing an attacker to create a malicious symlink. All versions of TEXutil are affected [1].

Exploitation

To exploit this vulnerability, an attacker must have local access to the system and be able to create files in the directory where TEXutil will be run. The attacker creates a symbolic link named texutil.log pointing to an arbitrary target file (e.g., /etc/passwd). When a victim runs texutil with the --silent flag in that directory, TEXutil overwrites the target file with its output, inheriting the victim's file system privileges [1]. No additional user interaction is required beyond executing the command.

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system, with the privileges of the user who invoked TEXutil [1]. This can lead to denial of service (by corrupting critical files), privilege escalation (by overwriting files such as /etc/passwd or ~/.bashrc), or other forms of system compromise.

Mitigation

No official patch is referenced in the available sources [1]. Users should avoid using the --silent option of TEXutil in untrusted directories where an attacker could create a symlink. As a general workaround, administrators can restrict write permissions to directories where TEXutil is executed or apply file system protections such as sticky directories. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.