Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612328 (CVE-2016-10243) - <dev-libs/kpathsea-6.2.2_p20160523: mpost allows to run non-whitelisted external programs
Summary: <dev-libs/kpathsea-6.2.2_p20160523: mpost allows to run non-whitelisted exter...
Status: RESOLVED FIXED
Alias: CVE-2016-10243
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://scumjr.github.io/2016/11/28/p...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-11 16:13 UTC by Thomas Deutschmann
Modified: 2017-09-17 15:47 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/kpathsea-6.2.2_p20160523
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-03-11 16:13:25 UTC
The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago.

Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document.

Upstream patch:

https://www.tug.org/svn/texlive?view=revision&revision=42605
Comment 1 Alexis Ballier gentoo-dev 2017-03-11 17:34:42 UTC
we ship the texmf files with kpathsea

this is already fixed in our ebuilds (since i was very late in bumping to 2016 the commit was already there :) )

stabilization is already happening in bug #611076
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-03-14 11:11:58 UTC
Moving stabilization to security bug to let remaining arches know that this fixes a vulnerability.
Comment 3 Jeroen Roovers gentoo-dev 2017-03-14 16:27:13 UTC
Stable for HPPA.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-06-17 20:59:04 UTC
New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:47:45 UTC
This issue was resolved and addressed in
 GLSA 201709-07 at https://security.gentoo.org/glsa/201709-07
by GLSA coordinator Aaron Bauman (b-man).