From unknown Sat Sep 20 10:23:53 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#25993 <25993@debbugs.gnu.org> To: bug#25993 <25993@debbugs.gnu.org> Subject: Status: texlive CVE-2016-10243 Reply-To: bug#25993 <25993@debbugs.gnu.org> Date: Sat, 20 Sep 2025 17:23:53 +0000 retitle 25993 texlive CVE-2016-10243 reassign 25993 guix-patches submitter 25993 Leo Famulari severity 25993 normal tag 25993 fixed thanks From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 22:31:24 2017 Received: (at submit) by debbugs.gnu.org; 6 Mar 2017 03:31:24 +0000 Received: from localhost ([127.0.0.1]:41594 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckjMk-0001n4-GA for submit@debbugs.gnu.org; Sun, 05 Mar 2017 22:31:24 -0500 Received: from eggs.gnu.org ([208.118.235.92]:51963) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckjMg-0001mq-2N for submit@debbugs.gnu.org; Sun, 05 Mar 2017 22:31:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckjMZ-0002sN-DH for submit@debbugs.gnu.org; Sun, 05 Mar 2017 22:31:08 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_20,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:57819) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ckjMZ-0002sH-AK for submit@debbugs.gnu.org; Sun, 05 Mar 2017 22:31:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42929) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckjMX-0007xM-TX for guix-patches@gnu.org; Sun, 05 Mar 2017 22:31:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckjMT-0002qr-Np for guix-patches@gnu.org; Sun, 05 Mar 2017 22:31:05 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44460) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ckjMT-0002qG-Ea for guix-patches@gnu.org; Sun, 05 Mar 2017 22:31:01 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D0D2A208CE; Sun, 5 Mar 2017 22:31:00 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sun, 05 Mar 2017 22:31:00 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=yDP d6T6Ck12luHydekfuEssniBI=; b=kWPWvaAKaQwmx3zZyYdyYxbDmoJMliJt8pb htut8JEmcOeo8rx0FQ5o/CeJsOrnODn6R1PHI7qMhbLsTRd47kLTZNQkmzWirAjw qgosEmhx78NlRm7GenCnh7mT2pH93oVjLmDLChvpR3i/GTGj+1x1mWCWZt8oa2Su EhS6i3wM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=smtpout; bh=yDPd6T6Ck12luHydekfuEssniBI=; b=L4oGq HuCqeUC+nAH/6QsS5S0/2U4wCUgb+DVMDKCmNZlprYIY0TiUAlU0Yiu9u2+FkOhq UTL/oM5ExttZs8bejC+tVTgdaL2JCyvr9Rl54jTmuSApQbSnmNo09V53l6R3n9Eu PMxE3XFHG+4/K8RfVDy9BO6bOdjl3eNmn1oR1I= X-ME-Sender: X-Sasl-enc: 8YsTQG92npwPXoYz6OMNRtZ3sI6FlF/z+ypw6fRVfVGX 1488771060 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 7D62124066 for ; Sun, 5 Mar 2017 22:31:00 -0500 (EST) Date: Sun, 5 Mar 2017 22:30:58 -0500 From: Leo Famulari To: guix-patches@gnu.org Subject: texlive CVE-2016-10243 Message-ID: <20170306033058.GA19658@jasmine> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bCsyhTFzCvuiizWE" Content-Disposition: inline User-Agent: Mutt/1.8.0 (2017-02-23) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --bCsyhTFzCvuiizWE Content-Type: multipart/mixed; boundary="liOOAslEiF7prFVr" Content-Disposition: inline --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This fixes CVE-2016-10243: "The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago. Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document." source: http://seclists.org/oss-sec/2017/q1/555 This patch prevents the POC described in blog post: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-texlive-Fix-CVE-2016-10243.patch" Content-Transfer-Encoding: quoted-printable =46rom 09cb7073e44b04b778b5b26a75074aaf2c8ee8e4 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Sun, 5 Mar 2017 20:41:36 -0500 Subject: [PATCH] gnu: texlive: Fix CVE-2016-10243. * gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/tex.scm (texlive-texmf-src): Use it. --- gnu/local.mk | 1 + .../patches/texlive-texmf-CVE-2016-10243.patch | 18 ++++++++++++++= ++++ gnu/packages/tex.scm | 2 ++ 3 files changed, 21 insertions(+) create mode 100644 gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch diff --git a/gnu/local.mk b/gnu/local.mk index c88892df5..9f83c2bca 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -930,6 +930,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ + %D%/packages/patches/texlive-texmf-CVE-2016-10243.patch \ %D%/packages/patches/texi2html-document-encoding.patch \ %D%/packages/patches/texi2html-i18n.patch \ %D%/packages/patches/tidy-CVE-2015-5522+5523.patch \ diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/= packages/patches/texlive-texmf-CVE-2016-10243.patch new file mode 100644 index 000000000..3a9ae993f --- /dev/null +++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch @@ -0,0 +1,18 @@ +Fix CVE-2016-10243: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-10243 + +Patch adapted from upstream commit: + +https://www.tug.org/svn/texlive?view=3Drevision&revision=3D42605 + +--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604 ++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605 +@@ -568,7 +568,6 @@ extractbb,\ + gregorio,\ + kpsewhich,\ + makeindex,\ +-mpost,\ + repstopdf,\ +=20 + % we'd like to allow: diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm index 7c84ed719..404fd0339 100644 --- a/gnu/packages/tex.scm +++ b/gnu/packages/tex.scm @@ -72,6 +72,8 @@ (origin (method url-fetch) (uri "ftp://tug.org/historic/systems/texlive/2016/texlive-20160523b-te= xmf.tar.xz") + (patches (search-patches "texlive-texmf-CVE-2016-10243.patch")) + (patch-flags '("-p2")) (sha256 (base32 "1dv8vgfzpczqw82hv9g7a8djhhyzywljmrarlcyy6g2qi5q51glr")))) =20 --=20 2.12.0 --liOOAslEiF7prFVr-- --bCsyhTFzCvuiizWE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli81+8ACgkQJkb6MLrK fwgbgRAAvmK4skkiIQHGR6s+MY6PlguXOIiIWHGznzLEM5liOVZ/PqjYg9lAwXg4 TjXerB7o1vC7njHC4hhPd2DGq4P9Bkz5M7nx7AKOHNxJ6vU5LVrZgDofnYFVT/Er lS/Z9lVrA86nKTlmY+7f9MqFVBpd7FArU9LdJvI9mcPkA5BGhgTNfAlVqnqwPDrZ 1EBWX82wAsyVLto9xxHUYFGmn6n1SMZLEjonpMN1/4W9+qEzx/pnTvkmbuq4RZFX mGQP0X3sA3FyzyCLTMbz1sBSHMOtA27zNexj5UQm9cR/EliVJsdFAj4VNYF5HSF9 uWRi7u/tAb7myiA99UPDxuoq2XGvFhRq4YzfITVgCp8oJO1nGbz18THhGUW28nPF kliISyc7X4At1DpooXTxLTI6kBEOhJjq/Q+q5eLzpi3oBvVO7KsRXJwWYXlRi2DO MxAkJ6DA9a4nuC31ro5TXwN1+Xzl3FRm1eYLp+td3t4rk/L82wDk7hpB42NDiDkq 8ecxZ68NhX85cNKW0/t+ozH6tEwXn/ESIjKQhaooxzD1nPBngo32ANPlXthQTEC4 fr9DiLaR6BrekGMRSqrjJ/s1nEJHe6mQ9ks+yXOy9DIYOCb8NFxq0xdM7xkTfu2w DrcecIN2llAoN9TQzR/mpSehuL+jxDRFpYs6fRzibRBiL6X3bNY= =H4uz -----END PGP SIGNATURE----- --bCsyhTFzCvuiizWE-- From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 06 04:02:22 2017 Received: (at 25993) by debbugs.gnu.org; 6 Mar 2017 09:02:22 +0000 Received: from localhost ([127.0.0.1]:41710 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckoX4-0003I9-TE for submit@debbugs.gnu.org; Mon, 06 Mar 2017 04:02:22 -0500 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21003) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckoWz-0003Hx-Dn for 25993@debbugs.gnu.org; Mon, 06 Mar 2017 04:02:17 -0500 Received: from localhost (x4d0cc913.dyn.telefonica.de [77.12.201.19]) by mx.zohomail.com with SMTPS id 1488790929349290.99640526110943; Mon, 6 Mar 2017 01:02:09 -0800 (PST) References: <20170306033058.GA19658@jasmine> User-agent: mu4e 0.9.18; emacs 25.1.1 From: Ricardo Wurmus To: Leo Famulari Subject: Re: bug#25993: texlive CVE-2016-10243 In-reply-to: <20170306033058.GA19658@jasmine> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Mon, 06 Mar 2017 10:02:06 +0100 Message-ID: <87bmte4w35.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 25993 Cc: 25993@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Leo Famulari writes: > This fixes CVE-2016-10243: Thanks for preparing the patch to fix this. > diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch > new file mode 100644 > index 000000000..3a9ae993f > --- /dev/null > +++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch > @@ -0,0 +1,18 @@ > +Fix CVE-2016-10243: > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243 > + > +Patch adapted from upstream commit: > + > +https://www.tug.org/svn/texlive?view=revision&revision=42605 > + > +--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604 > ++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605 > +@@ -568,7 +568,6 @@ extractbb,\ > + gregorio,\ > + kpsewhich,\ > + makeindex,\ > +-mpost,\ > + repstopdf,\ > + > + % we'd like to allow: > diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm Is this sufficient? I see here that two files need this change: https://www.tug.org/svn/texlive?view=revision&revision=42605 Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched? -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 06 13:30:06 2017 Received: (at 25993) by debbugs.gnu.org; 6 Mar 2017 18:30:06 +0000 Received: from localhost ([127.0.0.1]:43100 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckxOY-00065Q-89 for submit@debbugs.gnu.org; Mon, 06 Mar 2017 13:30:06 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:59555) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckxOW-00064S-Dy for 25993@debbugs.gnu.org; Mon, 06 Mar 2017 13:30:05 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id C121F20B3B; Mon, 6 Mar 2017 13:30:03 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Mon, 06 Mar 2017 13:30:03 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=kSAb6HeFv5CrZaaRRKnQsnXMl/E=; b=QXm4o2 XGQHvTl6r42Ditpn+Y7Mw+VHx667jigR0Fp/KA25/FCxJ0FCWyPuXrIlu46mKaos F/55ly11VAhjJYeBN+sJwERPwkPxnCOWe/7wraBlJc6IKhhbf/NUoZbrNwTghfXR eGvDJiO31ntFCSwVBUeR4C51JaahTNgf+/5ec= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=kSAb6HeFv5CrZa aRRKnQsnXMl/E=; b=E2P+r8/+BXDn/S2uk6+5d35/VpVebv8gCQ5021SD0IKqZ1 qDfmdQ/ovjJ3Mf7/eimCByqSszOCAj6NCcaI4CZcz5xjiRZZyWDg3zf2PWYAvQ1q pH1bvcDqRBlF2BOEjAPwpsjmP2bdFLkp2aWgBKVXK5yy8cVDPAtfH0Ijh3/Mc= X-ME-Sender: X-Sasl-enc: vKPxcpF2mNZGcs/YWg9P4aw2ZHf8x+b/+/cYtPo31rNu 1488825003 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 655427E033; Mon, 6 Mar 2017 13:30:03 -0500 (EST) Date: Mon, 6 Mar 2017 13:30:00 -0500 From: Leo Famulari To: Ricardo Wurmus Subject: Re: bug#25993: texlive CVE-2016-10243 Message-ID: <20170306183000.GA2185@jasmine> References: <20170306033058.GA19658@jasmine> <87bmte4w35.fsf@elephly.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="k+w/mQv8wyuph6w0" Content-Disposition: inline In-Reply-To: <87bmte4w35.fsf@elephly.net> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25993 Cc: 25993@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --k+w/mQv8wyuph6w0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote: > Is this sufficient? I see here that two files need this change: >=20 > https://www.tug.org/svn/texlive?view=3Drevision&revision=3D42605 >=20 > Should =E2=80=9Ctrunk/Build/source/texk/kpathsea/texmf.cnf=E2=80=9D also = be patched? I inspected the built output of texlive, texlive-bin, and texlive-texmf, and none of them include the texmf.cnf file for kpathsea. That file does exist in the source. AFAICT, the only .cnf file in our built package that whitelists mpost is the one I patched. --k+w/mQv8wyuph6w0 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli9qqgACgkQJkb6MLrK fwhJ5A//Q1+iDM3ce34DzItzZzHk+Cy6pxm+X4RimHwCBKeOWlFGXNQlR0Q6u8Va tXe5idHX/j/hllty6bhtQ5OKx3jmFLe+77WpYOjjkfmWoUOpvBTpyC0QTsQOX3sT VkFLh0FjCj6gPafIxgt12/S7GuG3UwWOfv5/fOjg8bvnrEaP0IIcV3aEuz2h2KpZ FA4yt55L1E0d8e8sV5CvXpjjF8CDx9WtyFYY9h7j6RrGOO0eJSJKByd35sIKmHTa Qsu0x+apskg+VfqichnqnITHaUrzz5rZYvn3lvxmG8V1tYgNSENeBqTL5bwo/qae JT5ObjjnebMZTcDLhE/hB2fph372xgcHD9MtYe0SpBFuIy/RiYunq7PWmOcplQ0z Ce4BoXH5z/vLwMHH1PHH8/MIL/n/FsK4JtwDAGQH2lAVfyghpdN6HUT1frXUug8D 2Uk8Dqf1DVkd5bxa72hyJrirdLjK/v/lECyB256ARTwUlf07VBTHMK0W6x3oBYI6 C//c/C6nwlhPVyYAZl0rSycGVoZuZYJcYVlkgV+6JQusPoocU25QpfvDgIqBKrG4 rCiXJw+9w890aMOhy8QvuS7oVDfkPokGjbVk/IjfWJvSQ4dcNcizS1VEJ7fra4vz /9sDQPhDeq0C9O65B5cfDSH7tQZ7itWDtn9uBnSuMQMwX8v7Vns= =695L -----END PGP SIGNATURE----- --k+w/mQv8wyuph6w0-- From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 06 16:32:14 2017 Received: (at 25993) by debbugs.gnu.org; 6 Mar 2017 21:32:14 +0000 Received: from localhost ([127.0.0.1]:43276 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cl0Eo-0003uq-2D for submit@debbugs.gnu.org; Mon, 06 Mar 2017 16:32:14 -0500 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21116) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cl0Em-0003ui-3K for 25993@debbugs.gnu.org; Mon, 06 Mar 2017 16:32:12 -0500 Received: from localhost (x4d0cc913.dyn.telefonica.de [77.12.201.19]) by mx.zohomail.com with SMTPS id 1488835927036832.7198196624789; Mon, 6 Mar 2017 13:32:07 -0800 (PST) References: <20170306033058.GA19658@jasmine> <87bmte4w35.fsf@elephly.net> <20170306183000.GA2185@jasmine> User-agent: mu4e 0.9.18; emacs 25.1.1 From: Ricardo Wurmus To: Leo Famulari Subject: Re: bug#25993: texlive CVE-2016-10243 In-reply-to: <20170306183000.GA2185@jasmine> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Mon, 06 Mar 2017 22:32:04 +0100 Message-ID: <87zigy2isr.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 25993 Cc: 25993@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Leo Famulari writes: > On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote: >> Is this sufficient? I see here that two files need this change: >> >> https://www.tug.org/svn/texlive?view=revision&revision=42605 >> >> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched? > > I inspected the built output of texlive, texlive-bin, and texlive-texmf, > and none of them include the texmf.cnf file for kpathsea. > > That file does exist in the source. > > AFAICT, the only .cnf file in our built package that whitelists mpost is > the one I patched. Thank you for confirming this. The patch looks good to me! -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 06 16:49:30 2017 Received: (at 25993) by debbugs.gnu.org; 6 Mar 2017 21:49:30 +0000 Received: from localhost ([127.0.0.1]:43300 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cl0VW-0004Kv-Fn for submit@debbugs.gnu.org; Mon, 06 Mar 2017 16:49:30 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:50819) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cl0VV-0004Ko-1b for 25993@debbugs.gnu.org; Mon, 06 Mar 2017 16:49:29 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id DAF8F20B5F; Mon, 6 Mar 2017 16:49:28 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Mon, 06 Mar 2017 16:49:28 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=LHQ7zomiQp0qVnt JZsMTjRRTWY0=; b=YwbGSreENe/h3q25oLqYEczhFtwlAlG4EhLB3ewoK/b03U6 0ohMd2j1A7fYXro3Je+1eSUdsFpv6pbr7ZTWM4iwGx+n6wxQCwZlCKmY0rvfxO2L YZV2/NtFbKZwzu//+D8nCnXQl70QRUPkbc8tXmmGdv8lKY3nADjSmFeE4g5w= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= smtpout; bh=LHQ7zomiQp0qVntJZsMTjRRTWY0=; b=nClv3x+FHacISmNGyRa3 kL0DiEW3CnIxN5BjaCjzaMTk0kk9Mv3u44i6JrhhpAMpcOXR6Ic+Mo+dAYPgYsoY fY9lEwVsDwng6kFkSRCWNbP+yUrDNqNDuzO6ISK5/V1zuXYCIOEAQ7VKZs9b6w6Q GbYzhQC9BbZ3b0pkUCzc9Gk= X-ME-Sender: X-Sasl-enc: 9frMzoYFNMBYc91n3btXH9mrUS/KwBDEaMjPQrjo/r1L 1488836968 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 925F47E5E4; Mon, 6 Mar 2017 16:49:28 -0500 (EST) Date: Mon, 6 Mar 2017 16:49:27 -0500 From: Leo Famulari To: Ricardo Wurmus Subject: Re: bug#25993: texlive CVE-2016-10243 Message-ID: <20170306214927.GA3639@jasmine> References: <20170306033058.GA19658@jasmine> <87bmte4w35.fsf@elephly.net> <20170306183000.GA2185@jasmine> <87zigy2isr.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87zigy2isr.fsf@elephly.net> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25993 Cc: 25993@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Mon, Mar 06, 2017 at 10:32:04PM +0100, Ricardo Wurmus wrote: > > Leo Famulari writes: > > > On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote: > >> Is this sufficient? I see here that two files need this change: > >> > >> https://www.tug.org/svn/texlive?view=revision&revision=42605 > >> > >> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched? > > > > I inspected the built output of texlive, texlive-bin, and texlive-texmf, > > and none of them include the texmf.cnf file for kpathsea. > > > > That file does exist in the source. > > > > AFAICT, the only .cnf file in our built package that whitelists mpost is > > the one I patched. > > Thank you for confirming this. The patch looks good to me! Thanks for your review! Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5 By the way, I'd normally adjust the patch to use the default patch-level of 'p1', and to include another, more descriptive, link about the bug. But I lack the disk space to rebuild texlive again. Building it before and after the bug-fix, for testing, used ~12 GB. From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 09 03:06:43 2017 Received: (at control) by debbugs.gnu.org; 9 Mar 2017 08:06:44 +0000 Received: from localhost ([127.0.0.1]:47095 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1clt5v-0003UJ-PT for submit@debbugs.gnu.org; Thu, 09 Mar 2017 03:06:43 -0500 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21004) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1clt5u-0003U9-1C for control@debbugs.gnu.org; Thu, 09 Mar 2017 03:06:42 -0500 Received: from localhost (x4d0cd4e4.dyn.telefonica.de [77.12.212.228]) by mx.zohomail.com with SMTPS id 1489046797877655.6960366232954; Thu, 9 Mar 2017 00:06:37 -0800 (PST) Date: Thu, 09 Mar 2017 09:06:34 +0100 To: control@debbugs.gnu.org From: Ricardo Wurmus Subject: control message for bug #25993 X-Spam-Score: 1.1 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 25993 fixed [...] Content analysis details: (1.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [135.84.80.216 listed in wl.mailspike.net] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.1 MISSING_MID Missing Message-Id: header X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" Message-Id: X-Spam-Score: 1.0 (+) tags 25993 fixed From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 09 03:14:41 2017 Received: (at 25993-done) by debbugs.gnu.org; 9 Mar 2017 08:14:41 +0000 Received: from localhost ([127.0.0.1]:47100 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cltDd-0003fM-IE for submit@debbugs.gnu.org; Thu, 09 Mar 2017 03:14:41 -0500 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21077) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cltDb-0003fE-RV for 25993-done@debbugs.gnu.org; Thu, 09 Mar 2017 03:14:40 -0500 Received: from localhost (x4d0cd4e4.dyn.telefonica.de [77.12.212.228]) by mx.zohomail.com with SMTPS id 1489047276019620.7936653496365; Thu, 9 Mar 2017 00:14:36 -0800 (PST) References: <20170306033058.GA19658@jasmine> <87bmte4w35.fsf@elephly.net> <20170306183000.GA2185@jasmine> <87zigy2isr.fsf@elephly.net> <20170306214927.GA3639@jasmine> User-agent: mu4e 0.9.18; emacs 25.1.1 From: Ricardo Wurmus To: 25993-done@debbugs.gnu.org Subject: Re: bug#25993: texlive CVE-2016-10243 In-reply-to: <20170306214927.GA3639@jasmine> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Thu, 09 Mar 2017 09:14:32 +0100 Message-ID: <871su63lzr.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 25993-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5 Closing. From unknown Sat Sep 20 10:23:53 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 06 Apr 2017 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator