The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago. Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document. Upstream patch: https://www.tug.org/svn/texlive?view=revision&revision=42605
we ship the texmf files with kpathsea this is already fixed in our ebuilds (since i was very late in bumping to 2016 the commit was already there :) ) stabilization is already happening in bug #611076
Moving stabilization to security bug to let remaining arches know that this fixes a vulnerability.
Stable for HPPA.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201709-07 at https://security.gentoo.org/glsa/201709-07 by GLSA coordinator Aaron Bauman (b-man).