GNU bug report logs -
#25993
texlive CVE-2016-10243
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Mon, 6 Mar 2017 03:32:02 UTC
Severity: normal
Tags: fixed
Done: Ricardo Wurmus <rekado <at> elephly.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25993 in the body.
You can then email your comments to 25993 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#25993; Package
guix-patches.
(Mon, 06 Mar 2017 03:32:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Mon, 06 Mar 2017 03:32:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
This fixes CVE-2016-10243:
"The TeX system allows for calling external programs from within the
TeX source code (called \write18). This has been restricted to a
small set of programs since a long time ago.
Unfortunately it turned out that one program in the list, mpost
(also shipped with TeX Live), allows in turn to specify other
programs to be run, which allows arbitrary code execution when
compiling a TeX document."
source:
http://seclists.org/oss-sec/2017/q1/555
This patch prevents the POC described in blog post:
https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/
[0001-gnu-texlive-Fix-CVE-2016-10243.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#25993; Package
guix-patches.
(Mon, 06 Mar 2017 09:03:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 25993 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> This fixes CVE-2016-10243:
Thanks for preparing the patch to fix this.
> diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
> new file mode 100644
> index 000000000..3a9ae993f
> --- /dev/null
> +++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
> @@ -0,0 +1,18 @@
> +Fix CVE-2016-10243:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243
> +
> +Patch adapted from upstream commit:
> +
> +https://www.tug.org/svn/texlive?view=revision&revision=42605
> +
> +--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604
> ++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605
> +@@ -568,7 +568,6 @@ extractbb,\
> + gregorio,\
> + kpsewhich,\
> + makeindex,\
> +-mpost,\
> + repstopdf,\
> +
> + % we'd like to allow:
> diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm
Is this sufficient? I see here that two files need this change:
https://www.tug.org/svn/texlive?view=revision&revision=42605
Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
Information forwarded
to
guix-patches <at> gnu.org:
bug#25993; Package
guix-patches.
(Mon, 06 Mar 2017 18:31:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 25993 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
> Is this sufficient? I see here that two files need this change:
>
> https://www.tug.org/svn/texlive?view=revision&revision=42605
>
> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
I inspected the built output of texlive, texlive-bin, and texlive-texmf,
and none of them include the texmf.cnf file for kpathsea.
That file does exist in the source.
AFAICT, the only .cnf file in our built package that whitelists mpost is
the one I patched.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#25993; Package
guix-patches.
(Mon, 06 Mar 2017 21:33:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 25993 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
>> Is this sufficient? I see here that two files need this change:
>>
>> https://www.tug.org/svn/texlive?view=revision&revision=42605
>>
>> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
>
> I inspected the built output of texlive, texlive-bin, and texlive-texmf,
> and none of them include the texmf.cnf file for kpathsea.
>
> That file does exist in the source.
>
> AFAICT, the only .cnf file in our built package that whitelists mpost is
> the one I patched.
Thank you for confirming this. The patch looks good to me!
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
Information forwarded
to
guix-patches <at> gnu.org:
bug#25993; Package
guix-patches.
(Mon, 06 Mar 2017 21:50:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 25993 <at> debbugs.gnu.org (full text, mbox):
On Mon, Mar 06, 2017 at 10:32:04PM +0100, Ricardo Wurmus wrote:
>
> Leo Famulari <leo <at> famulari.name> writes:
>
> > On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
> >> Is this sufficient? I see here that two files need this change:
> >>
> >> https://www.tug.org/svn/texlive?view=revision&revision=42605
> >>
> >> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
> >
> > I inspected the built output of texlive, texlive-bin, and texlive-texmf,
> > and none of them include the texmf.cnf file for kpathsea.
> >
> > That file does exist in the source.
> >
> > AFAICT, the only .cnf file in our built package that whitelists mpost is
> > the one I patched.
>
> Thank you for confirming this. The patch looks good to me!
Thanks for your review!
Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5
By the way, I'd normally adjust the patch to use the default patch-level
of 'p1', and to include another, more descriptive, link about the bug.
But I lack the disk space to rebuild texlive again. Building it before
and after the bug-fix, for testing, used ~12 GB.
Added tag(s) fixed.
Request was from
Ricardo Wurmus <rekado <at> elephly.net>
to
control <at> debbugs.gnu.org.
(Thu, 09 Mar 2017 08:07:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Ricardo Wurmus <rekado <at> elephly.net>:
You have taken responsibility.
(Thu, 09 Mar 2017 08:15:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Thu, 09 Mar 2017 08:15:02 GMT)
Full text and
rfc822 format available.
Message #24 received at 25993-done <at> debbugs.gnu.org (full text, mbox):
> Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5
Closing.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 06 Apr 2017 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 169 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.