Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 612328 (CVE-2016-10243)

Summary: <dev-libs/kpathsea-6.2.2_p20160523: mpost allows to run non-whitelisted external programs
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: tex
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/
Whiteboard: B2 [glsa cve]
Package list:
=dev-libs/kpathsea-6.2.2_p20160523
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-11 16:13:25 UTC
The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago.

Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document.

Upstream patch:

https://www.tug.org/svn/texlive?view=revision&revision=42605
Comment 1 Alexis Ballier gentoo-dev 2017-03-11 17:34:42 UTC
we ship the texmf files with kpathsea

this is already fixed in our ebuilds (since i was very late in bumping to 2016 the commit was already there :) )

stabilization is already happening in bug #611076
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-14 11:11:58 UTC
Moving stabilization to security bug to let remaining arches know that this fixes a vulnerability.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-14 16:27:13 UTC
Stable for HPPA.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-17 20:59:04 UTC
New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:47:45 UTC
This issue was resolved and addressed in
 GLSA 201709-07 at https://security.gentoo.org/glsa/201709-07
by GLSA coordinator Aaron Bauman (b-man).