|
From: | GNU bug Tracking System |
Subject: | [debbugs-tracker] bug#25993: closed (texlive CVE-2016-10243) |
Date: | Thu, 09 Mar 2017 08:15:02 +0000 |
Your message dated Thu, 09 Mar 2017 09:14:32 +0100 with message-id <address@hidden> and subject line Re: bug#25993: texlive CVE-2016-10243 has caused the debbugs.gnu.org bug report #25993, regarding texlive CVE-2016-10243 to be marked as done. (If you believe you have received this mail in error, please contact address@hidden) -- 25993: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=25993 GNU Bug Tracking System Contact address@hidden with problems
--- Begin Message ---Subject: texlive CVE-2016-10243 Date: Sun, 5 Mar 2017 22:30:58 -0500 User-agent: Mutt/1.8.0 (2017-02-23) This fixes CVE-2016-10243: "The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago. Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document." source: http://seclists.org/oss-sec/2017/q1/555 This patch prevents the POC described in blog post: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/0001-gnu-texlive-Fix-CVE-2016-10243.patch
Description: Text documentsignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Subject: Re: bug#25993: texlive CVE-2016-10243 Date: Thu, 09 Mar 2017 09:14:32 +0100 User-agent: mu4e 0.9.18; emacs 25.1.1 > Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5 Closing.
--- End Message ---
[Prev in Thread] | Current Thread | [Next in Thread] |