From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 22:31:24 2017 Received: (at submit) by debbugs.gnu.org; 6 Mar 2017 03:31:24 +0000 Received: from localhost ([127.0.0.1]:41594 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckjMk-0001n4-GA for submit@debbugs.gnu.org; Sun, 05 Mar 2017 22:31:24 -0500 Received: from eggs.gnu.org ([208.118.235.92]:51963) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckjMg-0001mq-2N for submit@debbugs.gnu.org; Sun, 05 Mar 2017 22:31:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckjMZ-0002sN-DH for submit@debbugs.gnu.org; Sun, 05 Mar 2017 22:31:08 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_20,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:57819) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ckjMZ-0002sH-AK for submit@debbugs.gnu.org; Sun, 05 Mar 2017 22:31:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42929) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckjMX-0007xM-TX for guix-patches@gnu.org; Sun, 05 Mar 2017 22:31:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckjMT-0002qr-Np for guix-patches@gnu.org; Sun, 05 Mar 2017 22:31:05 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44460) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ckjMT-0002qG-Ea for guix-patches@gnu.org; Sun, 05 Mar 2017 22:31:01 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D0D2A208CE; Sun, 5 Mar 2017 22:31:00 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sun, 05 Mar 2017 22:31:00 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=yDP d6T6Ck12luHydekfuEssniBI=; b=kWPWvaAKaQwmx3zZyYdyYxbDmoJMliJt8pb htut8JEmcOeo8rx0FQ5o/CeJsOrnODn6R1PHI7qMhbLsTRd47kLTZNQkmzWirAjw qgosEmhx78NlRm7GenCnh7mT2pH93oVjLmDLChvpR3i/GTGj+1x1mWCWZt8oa2Su EhS6i3wM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=smtpout; bh=yDPd6T6Ck12luHydekfuEssniBI=; b=L4oGq HuCqeUC+nAH/6QsS5S0/2U4wCUgb+DVMDKCmNZlprYIY0TiUAlU0Yiu9u2+FkOhq UTL/oM5ExttZs8bejC+tVTgdaL2JCyvr9Rl54jTmuSApQbSnmNo09V53l6R3n9Eu PMxE3XFHG+4/K8RfVDy9BO6bOdjl3eNmn1oR1I= X-ME-Sender: X-Sasl-enc: 8YsTQG92npwPXoYz6OMNRtZ3sI6FlF/z+ypw6fRVfVGX 1488771060 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 7D62124066 for ; Sun, 5 Mar 2017 22:31:00 -0500 (EST) Date: Sun, 5 Mar 2017 22:30:58 -0500 From: Leo Famulari To: guix-patches@gnu.org Subject: texlive CVE-2016-10243 Message-ID: <20170306033058.GA19658@jasmine> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bCsyhTFzCvuiizWE" Content-Disposition: inline User-Agent: Mutt/1.8.0 (2017-02-23) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --bCsyhTFzCvuiizWE Content-Type: multipart/mixed; boundary="liOOAslEiF7prFVr" Content-Disposition: inline --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This fixes CVE-2016-10243: "The TeX system allows for calling external programs from within the TeX source code (called \write18). This has been restricted to a small set of programs since a long time ago. Unfortunately it turned out that one program in the list, mpost (also shipped with TeX Live), allows in turn to specify other programs to be run, which allows arbitrary code execution when compiling a TeX document." source: http://seclists.org/oss-sec/2017/q1/555 This patch prevents the POC described in blog post: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-texlive-Fix-CVE-2016-10243.patch" Content-Transfer-Encoding: quoted-printable =46rom 09cb7073e44b04b778b5b26a75074aaf2c8ee8e4 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Sun, 5 Mar 2017 20:41:36 -0500 Subject: [PATCH] gnu: texlive: Fix CVE-2016-10243. * gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/tex.scm (texlive-texmf-src): Use it. --- gnu/local.mk | 1 + .../patches/texlive-texmf-CVE-2016-10243.patch | 18 ++++++++++++++= ++++ gnu/packages/tex.scm | 2 ++ 3 files changed, 21 insertions(+) create mode 100644 gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch diff --git a/gnu/local.mk b/gnu/local.mk index c88892df5..9f83c2bca 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -930,6 +930,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/tcsh-fix-autotest.patch \ %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ + %D%/packages/patches/texlive-texmf-CVE-2016-10243.patch \ %D%/packages/patches/texi2html-document-encoding.patch \ %D%/packages/patches/texi2html-i18n.patch \ %D%/packages/patches/tidy-CVE-2015-5522+5523.patch \ diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/= packages/patches/texlive-texmf-CVE-2016-10243.patch new file mode 100644 index 000000000..3a9ae993f --- /dev/null +++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch @@ -0,0 +1,18 @@ +Fix CVE-2016-10243: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-10243 + +Patch adapted from upstream commit: + +https://www.tug.org/svn/texlive?view=3Drevision&revision=3D42605 + +--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604 ++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605 +@@ -568,7 +568,6 @@ extractbb,\ + gregorio,\ + kpsewhich,\ + makeindex,\ +-mpost,\ + repstopdf,\ +=20 + % we'd like to allow: diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm index 7c84ed719..404fd0339 100644 --- a/gnu/packages/tex.scm +++ b/gnu/packages/tex.scm @@ -72,6 +72,8 @@ (origin (method url-fetch) (uri "ftp://tug.org/historic/systems/texlive/2016/texlive-20160523b-te= xmf.tar.xz") + (patches (search-patches "texlive-texmf-CVE-2016-10243.patch")) + (patch-flags '("-p2")) (sha256 (base32 "1dv8vgfzpczqw82hv9g7a8djhhyzywljmrarlcyy6g2qi5q51glr")))) =20 --=20 2.12.0 --liOOAslEiF7prFVr-- --bCsyhTFzCvuiizWE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli81+8ACgkQJkb6MLrK fwgbgRAAvmK4skkiIQHGR6s+MY6PlguXOIiIWHGznzLEM5liOVZ/PqjYg9lAwXg4 TjXerB7o1vC7njHC4hhPd2DGq4P9Bkz5M7nx7AKOHNxJ6vU5LVrZgDofnYFVT/Er lS/Z9lVrA86nKTlmY+7f9MqFVBpd7FArU9LdJvI9mcPkA5BGhgTNfAlVqnqwPDrZ 1EBWX82wAsyVLto9xxHUYFGmn6n1SMZLEjonpMN1/4W9+qEzx/pnTvkmbuq4RZFX mGQP0X3sA3FyzyCLTMbz1sBSHMOtA27zNexj5UQm9cR/EliVJsdFAj4VNYF5HSF9 uWRi7u/tAb7myiA99UPDxuoq2XGvFhRq4YzfITVgCp8oJO1nGbz18THhGUW28nPF kliISyc7X4At1DpooXTxLTI6kBEOhJjq/Q+q5eLzpi3oBvVO7KsRXJwWYXlRi2DO MxAkJ6DA9a4nuC31ro5TXwN1+Xzl3FRm1eYLp+td3t4rk/L82wDk7hpB42NDiDkq 8ecxZ68NhX85cNKW0/t+ozH6tEwXn/ESIjKQhaooxzD1nPBngo32ANPlXthQTEC4 fr9DiLaR6BrekGMRSqrjJ/s1nEJHe6mQ9ks+yXOy9DIYOCb8NFxq0xdM7xkTfu2w DrcecIN2llAoN9TQzR/mpSehuL+jxDRFpYs6fRzibRBiL6X3bNY= =H4uz -----END PGP SIGNATURE----- --bCsyhTFzCvuiizWE--