Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 5 Mar 2017 11:52:26 +0100
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: TeX Live: CVE-2016-10243: whitelists a insecure binary/utility to be
 run as external program


Via CVE-2016-10243 was assigned for the
following issue in the TeX Live system:

> The TeX system allows for calling external programs from within the
> TeX source code (called \write18). This has been restricted to a
> small set of programs since a long time ago.
> Unfortunately it turned out that one program in the list, mpost
> (also shipped with TeX Live), allows in turn to specify other
> programs to be run, which allows arbitrary code execution when
> compiling a TeX document.

Upstream commit addressing the issue:

Report on the issue:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ