FS#53188 - [texlive-core] CVE-2016-10243 Arbitrary code execution
Attached to Project:
Arch Linux
Opened by Julien (julroy67) - Tuesday, 07 March 2017, 01:12 GMT
Last edited by Rémy Oudompheng (remyoudompheng) - Saturday, 15 April 2017, 08:35 GMT
Opened by Julien (julroy67) - Tuesday, 07 March 2017, 01:12 GMT
Last edited by Rémy Oudompheng (remyoudompheng) - Saturday, 15 April 2017, 08:35 GMT
|
Details
Description:
The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago. Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document. Additional info: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ http://www.lieberbiber.de/2017/03/05/arbitrary-code-execution-in-many-tex-distributions/ Upstream commit : https://www.tug.org/svn/texlive?view=revision&revision=42605 |
This task depends upon
Closed by Rémy Oudompheng (remyoudompheng)
Saturday, 15 April 2017, 08:35 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in texlive-core 2016.42515-3
Saturday, 15 April 2017, 08:35 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in texlive-core 2016.42515-3
Comment by Julien (julroy67) -
Wednesday, 12 April 2017, 14:50 GMT
As this could lead to "Arbitrary code execution", I really think
someone should take a look at it and upload updated packages. It
is now one month since the bug report and even more than 4 months
since the bug was fixed upstream.