Bugzilla – Bug 1028271
VUL-1: CVE-2016-10243: texlive-bin,texlive: mpost allows to run non-whitelisted external programs
Last modified: 2024-07-02 06:15:53 UTC
via oss-sec From: Salvatore Bonaccorso <carnil@debian.org> Subject: [oss-security] TeX Live: CVE-2016-10243: whitelists a insecure binary/utility to be run as external program Date: Sun, 5 Mar 2017 11:52:26 +0100 Hi Via http://cveform.mitre.org/ CVE-2016-10243 was assigned for the following issue in the TeX Live system: > The TeX system allows for calling external programs from within the > TeX source code (called \write18). This has been restricted to a > small set of programs since a long time ago. > > Unfortunately it turned out that one program in the list, mpost > (also shipped with TeX Live), allows in turn to specify other > programs to be run, which allows arbitrary code execution when > compiling a TeX document. Upstream commit addressing the issue: https://www.tug.org/svn/texlive?view=revision&revision=42605 Report on the issue: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ Regards, Salvatore
fix is to disallow mpost
bugbot adjusting priority
Hmmm ... removing mpost with a simple patch might not lead to the desirable on an already installed texlive system as /etc/texmf/web2c/texmf.cnf is marked with %config(noreplace) %verify(not md5 mtime size) hence the fixed version becomes /etc/texmf/web2c/texmf.cnf.rpmnew ... Maybe using a %post scriptlet with sed -ri '/^shell_escape_commands = \\/,/^mpost,\\/{ /mpost,\\/d }' /etc/texmf/web2c/texmf.cnf is the better way to enable this fix
Q: Which products openSUSE and SLES should get this fix? Currently I run the build for openSUSE Factory. /suse/werner> rpm -q --whatrequires texlive-metapost texlive-dvips-2015.104.svn37754-20.19.noarch texlive-collection-metapost-2015.105.svn37994-18.2.noarch texlive-context-2015.104.svn37464-20.19.noarch
This is an autogenerated message for OBS integration: This bug (1028271) was mentioned in https://build.opensuse.org/request/show/477764 Factory / texlive-specs-m
we currently have this only on the planned update list, so I would nbot request an update right now. texlive-metapost is only on the SDK and the likelyhood of running untrusted latex is currently limited. (ransomware via tex files would be funny)
This is an autogenerated message for OBS integration: This bug (1028271) was mentioned in https://build.opensuse.org/request/show/486999 Factory / texlive-specs-v
(In reply to Bernhard Wiedemann from comment #7) > This is an autogenerated message for OBS integration: > This bug (1028271) was mentioned in > https://rudin.suse.de:8894/request/show/486999 Factory / texlive-specs-v
The patch command is meanwhile broken that is texlive-specs-k does not build any more and this even with the option --follow-symlinks abuild@noether:/home/abuild/rpmbuild/BUILDROOT/texlive-kpathsea.noarch/usr/share/texlive> patch --reject-format=unified --quoting-style=literal -f -p0 --follow-symlinks -F0 -T < /home/abuild/rpmbuild/SOURCES/kpathsea_cnf.dif can't find file to patch at input line 9 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- | texmf-dist/web2c/fmtutil.cnf | 18 ++-- | texmf-dist/web2c/mktex.opt | 39 +++++++-- | texmf-dist/web2c/texmf.cnf | 169 +++++++++++++++++++++++++------------------ | 3 files changed, 140 insertions(+), 86 deletions(-) | |--- texmf-dist/web2c/fmtutil.cnf |+++ texmf-dist/web2c/fmtutil.cnf 2013-06-28 11:29:31.937439149 +0000 -------------------------- No file to patch. Skipping patch. 3 out of 3 hunks ignored can't find file to patch at input line 47 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- texmf-dist/web2c/mktex.opt |+++ texmf-dist/web2c/mktex.opt 2012-05-14 11:26:00.034911495 +0000 -------------------------- No file to patch. Skipping patch. 4 out of 4 hunks ignored can't find file to patch at input line 125 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- texmf-dist/web2c/texmf.cnf |+++ texmf-dist/web2c/texmf.cnf 2024-04-09 09:58:49.406358023 +0000 -------------------------- No file to patch. Skipping patch. 14 out of 14 hunks ignored abuild@noether:/home/abuild/rpmbuild/BUILDROOT/texlive-kpathsea.noarch/usr/share/texlive> texmf-dist/ abuild@noether:/home/abuild/rpmbuild/BUILDROOT/texlive-kpathsea.noarch/usr/share/texlive> ls -l texmf-dist/web2c/fmtutil.cnf texmf-dist/web2c/mktex.opt texmf-dist/web2c/texmf.cnf -rw-r--r-- 1 abuild abuild 4304 May 3 2013 texmf-dist/web2c/fmtutil.cnf -rw-r--r-- 1 abuild abuild 4752 Apr 7 2013 texmf-dist/web2c/mktex.opt -rw-r--r-- 1 abuild abuild 31707 Apr 15 2013 texmf-dist/web2c/texmf.cnf
The --follow-symlinks for patch does not work * Wed May 18 2022 jdelvare@suse.de - fix-swapping-fake-lines-in-pch_swap.patch: Fix swapping fake lines in pch_swap. This bug was causing a double free leading to a crash (boo#1080985 CVE-2018-6952). - dont-follow-symlinks-unless-asked.patch: Don't follow symlinks unless --follow-symlinks is given. This increases the security against malicious patches (boo#1142041 CVE-2019-13636). - pass-the-correct-stat-to-backup-files.patch: Pass the correct stat to backup files. This bug would occasionally cause backup files to be missing when all hunks failed to apply (boo#1198106). - ed-style-07-dont-leak-tmp-file.patch, ed-style-08-dont-leak-tmp-file-multi.patch: Fix temporary file leak when applying ed-style patches (bsc#1092500, savannah#53820). - fix-out-of-bounds-access.patch: Fix mainline tag.
I see a warning ###### valid_channel: (WARN) * The release target SUSE:SLE-12:Update is not being used by any channel * Please check, if there are changes needed to SUSE:Channels
SUSE-SU-2024:1203-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1028271 CVE References: CVE-2016-10243 Maintenance Incident: [SUSE:Maintenance:33323](https://smelt.suse.de/incident/33323/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): texlive-koma-script-2013.84.3.11bsvn29774-21.3.1, texlive-kastrup-2013.84.svn15878-21.3.1, texlive-kpathsea-2013.84.svn30218-21.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Dr. Werner Fink from comment #12) > The --follow-symlinks for patch does not work Please open a separate bugzilla for this issue, with a proper description of the issue and, ideally, a simple reproducer. You can assign the bug to me directly.
(In reply to Jean Delvare from comment #18) > (In reply to Dr. Werner Fink from comment #12) > > The --follow-symlinks for patch does not work > > Please open a separate bugzilla for this issue, with a proper description of > the issue and, ideally, a simple reproducer. You can assign the bug to me > directly. Meanwhile I've switched from SLE-12 to SLE-12-SP1 as there I had already used a workaround for the new/old patch feature.
This is meanwhile fixed and shipped AFAICS