Summary: | <dev-libs/kpathsea-6.2.2_p20160523: mpost allows to run non-whitelisted external programs | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | tex |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
=dev-libs/kpathsea-6.2.2_p20160523
|
Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2017-03-11 16:13:25 UTC
we ship the texmf files with kpathsea this is already fixed in our ebuilds (since i was very late in bumping to 2016 the commit was already there :) ) stabilization is already happening in bug #611076 Moving stabilization to security bug to let remaining arches know that this fixes a vulnerability. Stable for HPPA. New GLSA request filed. This issue was resolved and addressed in GLSA 201709-07 at https://security.gentoo.org/glsa/201709-07 by GLSA coordinator Aaron Bauman (b-man). |