From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 06 04:02:22 2017 Received: (at 25993) by debbugs.gnu.org; 6 Mar 2017 09:02:22 +0000 Received: from localhost ([127.0.0.1]:41710 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckoX4-0003I9-TE for submit@debbugs.gnu.org; Mon, 06 Mar 2017 04:02:22 -0500 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21003) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ckoWz-0003Hx-Dn for 25993@debbugs.gnu.org; Mon, 06 Mar 2017 04:02:17 -0500 Received: from localhost (x4d0cc913.dyn.telefonica.de [77.12.201.19]) by mx.zohomail.com with SMTPS id 1488790929349290.99640526110943; Mon, 6 Mar 2017 01:02:09 -0800 (PST) References: <20170306033058.GA19658@jasmine> User-agent: mu4e 0.9.18; emacs 25.1.1 From: Ricardo Wurmus To: Leo Famulari Subject: Re: bug#25993: texlive CVE-2016-10243 In-reply-to: <20170306033058.GA19658@jasmine> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Mon, 06 Mar 2017 10:02:06 +0100 Message-ID: <87bmte4w35.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 25993 Cc: 25993@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Leo Famulari writes: > This fixes CVE-2016-10243: Thanks for preparing the patch to fix this. > diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch > new file mode 100644 > index 000000000..3a9ae993f > --- /dev/null > +++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch > @@ -0,0 +1,18 @@ > +Fix CVE-2016-10243: > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243 > + > +Patch adapted from upstream commit: > + > +https://www.tug.org/svn/texlive?view=revision&revision=42605 > + > +--- trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:10:33 42604 > ++++ trunk/Master/texmf-dist/web2c/texmf.cnf 2016/11/29 23:27:53 42605 > +@@ -568,7 +568,6 @@ extractbb,\ > + gregorio,\ > + kpsewhich,\ > + makeindex,\ > +-mpost,\ > + repstopdf,\ > + > + % we'd like to allow: > diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm Is this sufficient? I see here that two files need this change: https://www.tug.org/svn/texlive?view=revision&revision=42605 Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched? -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net