Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#53188 - [texlive-core] CVE-2016-10243 Arbitrary code execution
Attached to Project:
Arch Linux
Opened by Julien (julroy67) - Tuesday, 07 March 2017, 01:12 GMT
Last edited by Rémy Oudompheng (remyoudompheng) - Saturday, 15 April 2017, 08:35 GMT
Opened by Julien (julroy67) - Tuesday, 07 March 2017, 01:12 GMT
Last edited by Rémy Oudompheng (remyoudompheng) - Saturday, 15 April 2017, 08:35 GMT
|
DetailsDescription:
The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago. Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document. Additional info: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ http://www.lieberbiber.de/2017/03/05/arbitrary-code-execution-in-many-tex-distributions/ Upstream commit : https://www.tug.org/svn/texlive?view=revision&revision=42605 |
This task depends upon
Closed by Rémy Oudompheng (remyoudompheng)
Saturday, 15 April 2017, 08:35 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in texlive-core 2016.42515-3
Saturday, 15 April 2017, 08:35 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in texlive-core 2016.42515-3
Comment by Julien (julroy67) -
Wednesday, 12 April 2017, 14:50 GMT
As this could lead to "Arbitrary code execution", I really think someone should take a look at it and upload updated packages. It is now one month since the bug report and even more than 4 months since the bug was fixed upstream.