Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#53188 - [texlive-core] CVE-2016-10243 Arbitrary code execution

Attached to Project: Arch Linux
Opened by Julien (julroy67) - Tuesday, 07 March 2017, 01:12 GMT
Last edited by Rémy Oudompheng (remyoudompheng) - Saturday, 15 April 2017, 08:35 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Rémy Oudompheng (remyoudompheng)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


The TeX system allows for calling external programs from within the
TeX source code (called \write18). This has been restricted to a
small set of programs since a long time ago.

Unfortunately it turned out that one program in the list, mpost
(also shipped with TeX Live), allows in turn to specify other
programs to be run, which allows arbitrary code execution when
compiling a TeX document.

Additional info:

Upstream commit :
This task depends upon

Closed by  Rémy Oudompheng (remyoudompheng)
Saturday, 15 April 2017, 08:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in texlive-core 2016.42515-3
Comment by Julien (julroy67) - Wednesday, 12 April 2017, 14:50 GMT
As this could lead to "Arbitrary code execution", I really think someone should take a look at it and upload updated packages. It is now one month since the bug report and even more than 4 months since the bug was fixed upstream.