GNU bug report logs - #25993
texlive CVE-2016-10243

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 6 Mar 2017 03:32:02 UTC

Severity: normal

Tags: fixed

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Subject: bug#25993: closed (Re: bug#25993: texlive CVE-2016-10243)
Date: Thu, 09 Mar 2017 08:15:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#25993: texlive CVE-2016-10243

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 25993 <at> debbugs.gnu.org.

-- 
25993: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=25993
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ricardo Wurmus <rekado <at> elephly.net>
To: 25993-done <at> debbugs.gnu.org
Subject: Re: bug#25993: texlive CVE-2016-10243
Date: Thu, 09 Mar 2017 09:14:32 +0100

> Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5

Closing.



[Message part 3 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: texlive CVE-2016-10243
Date: Sun, 5 Mar 2017 22:30:58 -0500

[Message part 4 (text/plain, inline)]
This fixes CVE-2016-10243:

"The TeX system allows for calling external programs from within the
TeX source code (called \write18). This has been restricted to a
small set of programs since a long time ago.

Unfortunately it turned out that one program in the list, mpost
(also shipped with TeX Live), allows in turn to specify other
programs to be run, which allows arbitrary code execution when
compiling a TeX document."

source:
http://seclists.org/oss-sec/2017/q1/555

This patch prevents the POC described in blog post:

https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/

[0001-gnu-texlive-Fix-CVE-2016-10243.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 8 years and 169 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.