Date: Sun, 5 Mar 2017 11:52:26 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: TeX Live: CVE-2016-10243: whitelists a insecure binary/utility to be run as external program Hi Via http://cveform.mitre.org/ CVE-2016-10243 was assigned for the following issue in the TeX Live system: > The TeX system allows for calling external programs from within the > TeX source code (called \write18). This has been restricted to a > small set of programs since a long time ago. > > Unfortunately it turned out that one program in the list, mpost > (also shipped with TeX Live), allows in turn to specify other > programs to be run, which allows arbitrary code execution when > compiling a TeX document. Upstream commit addressing the issue: https://www.tug.org/svn/texlive?view=revision&revision=42605 Report on the issue: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.