texlive CVE-2016-10243

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 6 Mar 2017 04:30
(address . guix-patches@gnu.org)
20170306033058.GA19658@jasmine
This fixes CVE-2016-10243:

"The TeX system allows for calling external programs from within the
TeX source code (called \write18). This has been restricted to a
small set of programs since a long time ago.

Unfortunately it turned out that one program in the list, mpost
(also shipped with TeX Live), allows in turn to specify other
programs to be run, which allows arbitrary code execution when
compiling a TeX document."

source:

This patch prevents the POC described in blog post:

From 09cb7073e44b04b778b5b26a75074aaf2c8ee8e4 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sun, 5 Mar 2017 20:41:36 -0500
Subject: [PATCH] gnu: texlive: Fix CVE-2016-10243.

* gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/tex.scm (texlive-texmf-src): Use it.
---
gnu/local.mk | 1 +
.../patches/texlive-texmf-CVE-2016-10243.patch | 18 ++++++++++++++++++
gnu/packages/tex.scm | 2 ++
3 files changed, 21 insertions(+)
create mode 100644 gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch

Toggle diff (51 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index c88892df5..9f83c2bca 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -930,6 +930,7 @@ dist_patch_DATA = \
%D%/packages/patches/tcsh-fix-autotest.patch \
%D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \
%D%/packages/patches/teensy-loader-cli-help.patch \
+ %D%/packages/patches/texlive-texmf-CVE-2016-10243.patch \
%D%/packages/patches/texi2html-document-encoding.patch \
%D%/packages/patches/texi2html-i18n.patch \
%D%/packages/patches/tidy-CVE-2015-5522+5523.patch \
diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
new file mode 100644
index 000000000..3a9ae993f
--- /dev/null
+++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
@@ -0,0 +1,18 @@
+Fix CVE-2016-10243:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243
+
+Patch adapted from upstream commit:
+
+https://www.tug.org/svn/texlive?view=revision&revision=42605
+
+--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604
++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605
+@@ -568,7 +568,6 @@ extractbb,\
+ gregorio,\
+ kpsewhich,\
+ makeindex,\
+-mpost,\
+ repstopdf,\
+
+ % we'd like to allow:
diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm
index 7c84ed719..404fd0339 100644
--- a/gnu/packages/tex.scm
+++ b/gnu/packages/tex.scm
@@ -72,6 +72,8 @@
(origin
(method url-fetch)
(uri "ftp://tug.org/historic/systems/texlive/2016/texlive-20160523b-texmf.tar.xz")
+ (patches (search-patches "texlive-texmf-CVE-2016-10243.patch"))
+ (patch-flags '("-p2"))
(sha256 (base32
"1dv8vgfzpczqw82hv9g7a8djhhyzywljmrarlcyy6g2qi5q51glr"))))
--
2.12.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli81+8ACgkQJkb6MLrK
fwgbgRAAvmK4skkiIQHGR6s+MY6PlguXOIiIWHGznzLEM5liOVZ/PqjYg9lAwXg4
TjXerB7o1vC7njHC4hhPd2DGq4P9Bkz5M7nx7AKOHNxJ6vU5LVrZgDofnYFVT/Er
lS/Z9lVrA86nKTlmY+7f9MqFVBpd7FArU9LdJvI9mcPkA5BGhgTNfAlVqnqwPDrZ
1EBWX82wAsyVLto9xxHUYFGmn6n1SMZLEjonpMN1/4W9+qEzx/pnTvkmbuq4RZFX
mGQP0X3sA3FyzyCLTMbz1sBSHMOtA27zNexj5UQm9cR/EliVJsdFAj4VNYF5HSF9
uWRi7u/tAb7myiA99UPDxuoq2XGvFhRq4YzfITVgCp8oJO1nGbz18THhGUW28nPF
kliISyc7X4At1DpooXTxLTI6kBEOhJjq/Q+q5eLzpi3oBvVO7KsRXJwWYXlRi2DO
MxAkJ6DA9a4nuC31ro5TXwN1+Xzl3FRm1eYLp+td3t4rk/L82wDk7hpB42NDiDkq
8ecxZ68NhX85cNKW0/t+ozH6tEwXn/ESIjKQhaooxzD1nPBngo32ANPlXthQTEC4
fr9DiLaR6BrekGMRSqrjJ/s1nEJHe6mQ9ks+yXOy9DIYOCb8NFxq0xdM7xkTfu2w
DrcecIN2llAoN9TQzR/mpSehuL+jxDRFpYs6fRzibRBiL6X3bNY=
=H4uz
-----END PGP SIGNATURE-----


R
R
Ricardo Wurmus wrote on 6 Mar 2017 10:02
(name . Leo Famulari)(address . leo@famulari.name)(address . 25993@debbugs.gnu.org)
87bmte4w35.fsf@elephly.net
Leo Famulari <leo@famulari.name> writes:

Toggle quote (2 lines)
> This fixes CVE-2016-10243:

Thanks for preparing the patch to fix this.

Toggle quote (26 lines)
> diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
> new file mode 100644
> index 000000000..3a9ae993f
> --- /dev/null
> +++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
> @@ -0,0 +1,18 @@
> +Fix CVE-2016-10243:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243
> +
> +Patch adapted from upstream commit:
> +
> +https://www.tug.org/svn/texlive?view=revision&revision=42605
> +
> +--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604
> ++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605
> +@@ -568,7 +568,6 @@ extractbb,\
> + gregorio,\
> + kpsewhich,\
> + makeindex,\
> +-mpost,\
> + repstopdf,\
> +
> + % we'd like to allow:
> diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm

Is this sufficient? I see here that two files need this change:


Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
L
L
Leo Famulari wrote on 6 Mar 2017 19:30
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 25993@debbugs.gnu.org)
20170306183000.GA2185@jasmine
On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
Toggle quote (6 lines)
> Is this sufficient? I see here that two files need this change:
>
> https://www.tug.org/svn/texlive?view=revision&revision=42605
>
> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?

I inspected the built output of texlive, texlive-bin, and texlive-texmf,
and none of them include the texmf.cnf file for kpathsea.

That file does exist in the source.

AFAICT, the only .cnf file in our built package that whitelists mpost is
the one I patched.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli9qqgACgkQJkb6MLrK
fwhJ5A//Q1+iDM3ce34DzItzZzHk+Cy6pxm+X4RimHwCBKeOWlFGXNQlR0Q6u8Va
tXe5idHX/j/hllty6bhtQ5OKx3jmFLe+77WpYOjjkfmWoUOpvBTpyC0QTsQOX3sT
VkFLh0FjCj6gPafIxgt12/S7GuG3UwWOfv5/fOjg8bvnrEaP0IIcV3aEuz2h2KpZ
FA4yt55L1E0d8e8sV5CvXpjjF8CDx9WtyFYY9h7j6RrGOO0eJSJKByd35sIKmHTa
Qsu0x+apskg+VfqichnqnITHaUrzz5rZYvn3lvxmG8V1tYgNSENeBqTL5bwo/qae
JT5ObjjnebMZTcDLhE/hB2fph372xgcHD9MtYe0SpBFuIy/RiYunq7PWmOcplQ0z
Ce4BoXH5z/vLwMHH1PHH8/MIL/n/FsK4JtwDAGQH2lAVfyghpdN6HUT1frXUug8D
2Uk8Dqf1DVkd5bxa72hyJrirdLjK/v/lECyB256ARTwUlf07VBTHMK0W6x3oBYI6
C//c/C6nwlhPVyYAZl0rSycGVoZuZYJcYVlkgV+6JQusPoocU25QpfvDgIqBKrG4
rCiXJw+9w890aMOhy8QvuS7oVDfkPokGjbVk/IjfWJvSQ4dcNcizS1VEJ7fra4vz
/9sDQPhDeq0C9O65B5cfDSH7tQZ7itWDtn9uBnSuMQMwX8v7Vns=
=695L
-----END PGP SIGNATURE-----


R
R
Ricardo Wurmus wrote on 6 Mar 2017 22:32
(name . Leo Famulari)(address . leo@famulari.name)(address . 25993@debbugs.gnu.org)
87zigy2isr.fsf@elephly.net
Leo Famulari <leo@famulari.name> writes:

Toggle quote (15 lines)
> On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
>> Is this sufficient? I see here that two files need this change:
>>
>> https://www.tug.org/svn/texlive?view=revision&revision=42605
>>
>> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
>
> I inspected the built output of texlive, texlive-bin, and texlive-texmf,
> and none of them include the texmf.cnf file for kpathsea.
>
> That file does exist in the source.
>
> AFAICT, the only .cnf file in our built package that whitelists mpost is
> the one I patched.

Thank you for confirming this. The patch looks good to me!

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
L
L
Leo Famulari wrote on 6 Mar 2017 22:49
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 25993@debbugs.gnu.org)
20170306214927.GA3639@jasmine
On Mon, Mar 06, 2017 at 10:32:04PM +0100, Ricardo Wurmus wrote:
Toggle quote (20 lines)
>
> Leo Famulari <leo@famulari.name> writes:
>
> > On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
> >> Is this sufficient? I see here that two files need this change:
> >>
> >> https://www.tug.org/svn/texlive?view=revision&revision=42605
> >>
> >> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
> >
> > I inspected the built output of texlive, texlive-bin, and texlive-texmf,
> > and none of them include the texmf.cnf file for kpathsea.
> >
> > That file does exist in the source.
> >
> > AFAICT, the only .cnf file in our built package that whitelists mpost is
> > the one I patched.
>
> Thank you for confirming this. The patch looks good to me!

Thanks for your review!

Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5

By the way, I'd normally adjust the patch to use the default patch-level
of 'p1', and to include another, more descriptive, link about the bug.
But I lack the disk space to rebuild texlive again. Building it before
and after the bug-fix, for testing, used ~12 GB.
R
R
Ricardo Wurmus wrote on 9 Mar 2017 09:06
control message for bug #25993
(address . control@debbugs.gnu.org)
E1clt5v-0003UJ-PT@debbugs.gnu.org
tags 25993 fixed
R
R
Ricardo Wurmus wrote on 9 Mar 2017 09:14
Re: bug#25993: texlive CVE-2016-10243
(address . 25993-done@debbugs.gnu.org)
871su63lzr.fsf@elephly.net
Toggle quote (2 lines)
> Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5

Closing.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 25993@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 25993
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch