bug#25993: texlive CVE-2016-10243

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#25993: texlive CVE-2016-10243

From:	Leo Famulari
Subject:	bug#25993: texlive CVE-2016-10243
Date:	Sun, 5 Mar 2017 22:30:58 -0500
User-agent:	Mutt/1.8.0 (2017-02-23)

This fixes CVE-2016-10243:

"The TeX system allows for calling external programs from within the
TeX source code (called \write18). This has been restricted to a
small set of programs since a long time ago.

Unfortunately it turned out that one program in the list, mpost
(also shipped with TeX Live), allows in turn to specify other
programs to be run, which allows arbitrary code execution when
compiling a TeX document."

source:
http://seclists.org/oss-sec/2017/q1/555

This patch prevents the POC described in blog post:

https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/

0001-gnu-texlive-Fix-CVE-2016-10243.patch
Description: Text document

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#25993: texlive CVE-2016-10243, Leo Famulari <=
- bug#25993: texlive CVE-2016-10243, Ricardo Wurmus, 2017/03/06
  - bug#25993: texlive CVE-2016-10243, Leo Famulari, 2017/03/06
    - bug#25993: texlive CVE-2016-10243, Ricardo Wurmus, 2017/03/06
    - bug#25993: texlive CVE-2016-10243, Leo Famulari, 2017/03/06
    - bug#25993: texlive CVE-2016-10243, Ricardo Wurmus, 2017/03/09

Prev by Date: bug#25991: [PATCH] gnu: surf: Add 'dmenu' and 'xprop' to 'inputs'.
Next by Date: bug#25994: [PATCH] Update giac-xcas
Previous by thread: bug#25991: [PATCH] gnu: surf: Add 'dmenu' and 'xprop' to 'inputs'.
Next by thread: bug#25993: texlive CVE-2016-10243
Index(es):
- Date
- Thread