search

NixOS / security

MIT License
30 stars 12 forks source link

Roundup: [oss-security] TeX Live: CVE-2016-10243: whitelists a insecure binary/utility to be run as external program #104

Closed grahamc closed 7 years ago

grahamc commented 7 years ago

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003fb0

Should the search term be changed from texlive? Suggest a new package search by commenting:

-suggested:texlive +suggested:correctPackageName thread:0000000000003fb0

Known CVEs: CVE-2016-10243

Skip to End

Sun, 5 Mar 2017 11:52:26 +0100 Salvatore Bonaccorso , 20170305105226.smsiuiqnhkrjnh6j@eldamar.local
Hi

Via http://cveform.mitre.org/ CVE-2016-10243 was assigned for the
following issue in the TeX Live system:

> The TeX system allows for calling external programs from within the
> TeX source code (called \write18). This has been restricted to a
> small set of programs since a long time ago.
>
> Unfortunately it turned out that one program in the list, mpost
> (also shipped with TeX Live), allows in turn to specify other
> programs to be run, which allows arbitrary code execution when
> compiling a TeX document.

Upstream commit addressing the issue:

https://www.tug.org/svn/texlive?view=revision&revision=42605

Report on the issue:

https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/

Regards,
Salvatore

Skip to End

vcunat commented 7 years ago

Easy to fix :-) Close, please.

grahamc commented 7 years ago

Thank you!