texlive CVE-2016-10243

DoneSubmitted by Leo Famulari.
Details
2 participants
  • Leo Famulari
  • Ricardo Wurmus
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 6 Mar 2017 04:30
(address . guix-patches@gnu.org)
20170306033058.GA19658@jasmine
This fixes CVE-2016-10243:
"The TeX system allows for calling external programs from within theTeX source code (called \write18). This has been restricted to asmall set of programs since a long time ago.
Unfortunately it turned out that one program in the list, mpost(also shipped with TeX Live), allows in turn to specify otherprograms to be run, which allows arbitrary code execution whencompiling a TeX document."
source:http://seclists.org/oss-sec/2017/q1/555
This patch prevents the POC described in blog post:
https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/
From 09cb7073e44b04b778b5b26a75074aaf2c8ee8e4 Mon Sep 17 00:00:00 2001From: Leo Famulari <leo@famulari.name>Date: Sun, 5 Mar 2017 20:41:36 -0500Subject: [PATCH] gnu: texlive: Fix CVE-2016-10243.
* gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch: New file.* gnu/local.mk (dist_patch_DATA): Add it.* gnu/packages/tex.scm (texlive-texmf-src): Use it.--- gnu/local.mk | 1 + .../patches/texlive-texmf-CVE-2016-10243.patch | 18 ++++++++++++++++++ gnu/packages/tex.scm | 2 ++ 3 files changed, 21 insertions(+) create mode 100644 gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
Toggle diff (51 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex c88892df5..9f83c2bca 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -930,6 +930,7 @@ dist_patch_DATA = \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \+ %D%/packages/patches/texlive-texmf-CVE-2016-10243.patch \ %D%/packages/patches/texi2html-document-encoding.patch \ %D%/packages/patches/texi2html-i18n.patch \ %D%/packages/patches/tidy-CVE-2015-5522+5523.patch \diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patchnew file mode 100644index 000000000..3a9ae993f--- /dev/null+++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch@@ -0,0 +1,18 @@+Fix CVE-2016-10243:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243++Patch adapted from upstream commit:++https://www.tug.org/svn/texlive?view=revision&revision=42605++--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605+@@ -568,7 +568,6 @@ extractbb,\+ gregorio,\+ kpsewhich,\+ makeindex,\+-mpost,\+ repstopdf,\+ + % we'd like to allow:diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scmindex 7c84ed719..404fd0339 100644--- a/gnu/packages/tex.scm+++ b/gnu/packages/tex.scm@@ -72,6 +72,8 @@ (origin (method url-fetch) (uri "ftp://tug.org/historic/systems/texlive/2016/texlive-20160523b-texmf.tar.xz")+ (patches (search-patches "texlive-texmf-CVE-2016-10243.patch"))+ (patch-flags '("-p2")) (sha256 (base32 "1dv8vgfzpczqw82hv9g7a8djhhyzywljmrarlcyy6g2qi5q51glr")))) -- 2.12.0
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli81+8ACgkQJkb6MLrKfwgbgRAAvmK4skkiIQHGR6s+MY6PlguXOIiIWHGznzLEM5liOVZ/PqjYg9lAwXg4TjXerB7o1vC7njHC4hhPd2DGq4P9Bkz5M7nx7AKOHNxJ6vU5LVrZgDofnYFVT/ErlS/Z9lVrA86nKTlmY+7f9MqFVBpd7FArU9LdJvI9mcPkA5BGhgTNfAlVqnqwPDrZ1EBWX82wAsyVLto9xxHUYFGmn6n1SMZLEjonpMN1/4W9+qEzx/pnTvkmbuq4RZFXmGQP0X3sA3FyzyCLTMbz1sBSHMOtA27zNexj5UQm9cR/EliVJsdFAj4VNYF5HSF9uWRi7u/tAb7myiA99UPDxuoq2XGvFhRq4YzfITVgCp8oJO1nGbz18THhGUW28nPFkliISyc7X4At1DpooXTxLTI6kBEOhJjq/Q+q5eLzpi3oBvVO7KsRXJwWYXlRi2DOMxAkJ6DA9a4nuC31ro5TXwN1+Xzl3FRm1eYLp+td3t4rk/L82wDk7hpB42NDiDkq8ecxZ68NhX85cNKW0/t+ozH6tEwXn/ESIjKQhaooxzD1nPBngo32ANPlXthQTEC4fr9DiLaR6BrekGMRSqrjJ/s1nEJHe6mQ9ks+yXOy9DIYOCb8NFxq0xdM7xkTfu2wDrcecIN2llAoN9TQzR/mpSehuL+jxDRFpYs6fRzibRBiL6X3bNY==H4uz-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 6 Mar 2017 10:02
(name . Leo Famulari)(address . leo@famulari.name)(address . 25993@debbugs.gnu.org)
87bmte4w35.fsf@elephly.net
Leo Famulari <leo@famulari.name> writes:
Toggle quote (2 lines)> This fixes CVE-2016-10243:
Thanks for preparing the patch to fix this.
Toggle quote (26 lines)> diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch> new file mode 100644> index 000000000..3a9ae993f> --- /dev/null> +++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch> @@ -0,0 +1,18 @@> +Fix CVE-2016-10243:> +> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243> +> +Patch adapted from upstream commit:> +> +https://www.tug.org/svn/texlive?view=revision&revision=42605> +> +--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604> ++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605> +@@ -568,7 +568,6 @@ extractbb,\> + gregorio,\> + kpsewhich,\> + makeindex,\> +-mpost,\> + repstopdf,\> +> + % we'd like to allow:> diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm
Is this sufficient? I see here that two files need this change:
https://www.tug.org/svn/texlive?view=revision&revision=42605
Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
--Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAChttps://elephly.net
L
L
Leo Famulari wrote on 6 Mar 2017 19:30
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 25993@debbugs.gnu.org)
20170306183000.GA2185@jasmine
On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
Toggle quote (6 lines)> Is this sufficient? I see here that two files need this change:> > https://www.tug.org/svn/texlive?view=revision&revision=42605> > Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
I inspected the built output of texlive, texlive-bin, and texlive-texmf,and none of them include the texmf.cnf file for kpathsea.
That file does exist in the source.
AFAICT, the only .cnf file in our built package that whitelists mpost isthe one I patched.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli9qqgACgkQJkb6MLrKfwhJ5A//Q1+iDM3ce34DzItzZzHk+Cy6pxm+X4RimHwCBKeOWlFGXNQlR0Q6u8VatXe5idHX/j/hllty6bhtQ5OKx3jmFLe+77WpYOjjkfmWoUOpvBTpyC0QTsQOX3sTVkFLh0FjCj6gPafIxgt12/S7GuG3UwWOfv5/fOjg8bvnrEaP0IIcV3aEuz2h2KpZFA4yt55L1E0d8e8sV5CvXpjjF8CDx9WtyFYY9h7j6RrGOO0eJSJKByd35sIKmHTaQsu0x+apskg+VfqichnqnITHaUrzz5rZYvn3lvxmG8V1tYgNSENeBqTL5bwo/qaeJT5ObjjnebMZTcDLhE/hB2fph372xgcHD9MtYe0SpBFuIy/RiYunq7PWmOcplQ0zCe4BoXH5z/vLwMHH1PHH8/MIL/n/FsK4JtwDAGQH2lAVfyghpdN6HUT1frXUug8D2Uk8Dqf1DVkd5bxa72hyJrirdLjK/v/lECyB256ARTwUlf07VBTHMK0W6x3oBYI6C//c/C6nwlhPVyYAZl0rSycGVoZuZYJcYVlkgV+6JQusPoocU25QpfvDgIqBKrG4rCiXJw+9w890aMOhy8QvuS7oVDfkPokGjbVk/IjfWJvSQ4dcNcizS1VEJ7fra4vz/9sDQPhDeq0C9O65B5cfDSH7tQZ7itWDtn9uBnSuMQMwX8v7Vns==695L-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 6 Mar 2017 22:32
(name . Leo Famulari)(address . leo@famulari.name)(address . 25993@debbugs.gnu.org)
87zigy2isr.fsf@elephly.net
Leo Famulari <leo@famulari.name> writes:
Toggle quote (15 lines)> On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:>> Is this sufficient? I see here that two files need this change:>> >> https://www.tug.org/svn/texlive?view=revision&revision=42605>> >> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?>> I inspected the built output of texlive, texlive-bin, and texlive-texmf,> and none of them include the texmf.cnf file for kpathsea.>> That file does exist in the source.>> AFAICT, the only .cnf file in our built package that whitelists mpost is> the one I patched.
Thank you for confirming this. The patch looks good to me!
-- Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAChttps://elephly.net
L
L
Leo Famulari wrote on 6 Mar 2017 22:49
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 25993@debbugs.gnu.org)
20170306214927.GA3639@jasmine
On Mon, Mar 06, 2017 at 10:32:04PM +0100, Ricardo Wurmus wrote:
Toggle quote (20 lines)> > Leo Famulari <leo@famulari.name> writes:> > > On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:> >> Is this sufficient? I see here that two files need this change:> >> > >> https://www.tug.org/svn/texlive?view=revision&revision=42605> >> > >> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?> >> > I inspected the built output of texlive, texlive-bin, and texlive-texmf,> > and none of them include the texmf.cnf file for kpathsea.> >> > That file does exist in the source.> >> > AFAICT, the only .cnf file in our built package that whitelists mpost is> > the one I patched.> > Thank you for confirming this. The patch looks good to me!
Thanks for your review!
Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5
By the way, I'd normally adjust the patch to use the default patch-levelof 'p1', and to include another, more descriptive, link about the bug.But I lack the disk space to rebuild texlive again. Building it beforeand after the bug-fix, for testing, used ~12 GB.
R
R
Ricardo Wurmus wrote on 9 Mar 2017 09:06
control message for bug #25993
(address . control@debbugs.gnu.org)
E1clt5v-0003UJ-PT@debbugs.gnu.org
tags 25993 fixed
R
R
Ricardo Wurmus wrote on 9 Mar 2017 09:14
Re: bug#25993: texlive CVE-2016-10243
(address . 25993-done@debbugs.gnu.org)
871su63lzr.fsf@elephly.net
Toggle quote (2 lines)> Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5
Closing.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 25993@debbugs.gnu.org