Date: Sun, 5 Mar 2017 11:52:26 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: TeX Live: CVE-2016-10243: whitelists a insecure binary/utility to be run as external program Hi Via http://cveform.mitre.org/ CVE-2016-10243 was assigned for the following issue in the TeX Live system: > The TeX system allows for calling external programs from within the > TeX source code (called \write18). This has been restricted to a > small set of programs since a long time ago. > > Unfortunately it turned out that one program in the list, mpost > (also shipped with TeX Live), allows in turn to specify other > programs to be run, which allows arbitrary code execution when > compiling a TeX document. Upstream commit addressing the issue: https://www.tug.org/svn/texlive?view=revision&revision=42605 Report on the issue: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ