[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#25993: texlive CVE-2016-10243
From: |
Leo Famulari |
Subject: |
bug#25993: texlive CVE-2016-10243 |
Date: |
Sun, 5 Mar 2017 22:30:58 -0500 |
User-agent: |
Mutt/1.8.0 (2017-02-23) |
This fixes CVE-2016-10243:
"The TeX system allows for calling external programs from within the
TeX source code (called \write18). This has been restricted to a
small set of programs since a long time ago.
Unfortunately it turned out that one program in the list, mpost
(also shipped with TeX Live), allows in turn to specify other
programs to be run, which allows arbitrary code execution when
compiling a TeX document."
source:
http://seclists.org/oss-sec/2017/q1/555
This patch prevents the POC described in blog post:
https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/
0001-gnu-texlive-Fix-CVE-2016-10243.patch
Description: Text document
signature.asc
Description: PGP signature
- bug#25993: texlive CVE-2016-10243,
Leo Famulari <=