GNU bug report logs

#25993 texlive CVE-2016-10243

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Reported by Leo Famulari <leo@famulari.name>
Date 2017-03-06T03:32:02
Severity normal
Tags fixed
Done Ricardo Wurmus <rekado@elephly.net>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#25993; Package guix-patches. (Mon, 06 Mar 2017 03:32:02 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Mon, 06 Mar 2017 03:32:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

This fixes CVE-2016-10243:

"The TeX system allows for calling external programs from within the
TeX source code (called \write18). This has been restricted to a
small set of programs since a long time ago.

Unfortunately it turned out that one program in the list, mpost
(also shipped with TeX Live), allows in turn to specify other
programs to be run, which allows arbitrary code execution when
compiling a TeX document."

source:
http://seclists.org/oss-sec/2017/q1/555

This patch prevents the POC described in blog post:

https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/

[0001-gnu-texlive-Fix-CVE-2016-10243.patch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#25993; Package guix-patches. (Mon, 06 Mar 2017 09:03:01 GMT) (full text, mbox, link).

Message #8 received at 25993@debbugs.gnu.org (full text, mbox, reply):

Leo Famulari <leo@famulari.name> writes:

> This fixes CVE-2016-10243:

Thanks for preparing the patch to fix this.

> diff --git a/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
> new file mode 100644
> index 000000000..3a9ae993f
> --- /dev/null
> +++ b/gnu/packages/patches/texlive-texmf-CVE-2016-10243.patch
> @@ -0,0 +1,18 @@
> +Fix CVE-2016-10243:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243
> +
> +Patch adapted from upstream commit:
> +
> +https://www.tug.org/svn/texlive?view=revision&revision=42605
> +
> +--- trunk/Master/texmf-dist/web2c/texmf.cnf	2016/11/29 23:10:33	42604
> ++++ trunk/Master/texmf-dist/web2c/texmf.cnf	2016/11/29 23:27:53	42605
> +@@ -568,7 +568,6 @@ extractbb,\
> + gregorio,\
> + kpsewhich,\
> + makeindex,\
> +-mpost,\
> + repstopdf,\
> +
> + % we'd like to allow:
> diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm

Is this sufficient?  I see here that two files need this change:

    https://www.tug.org/svn/texlive?view=revision&revision=42605

Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

Information forwarded to guix-patches@gnu.org:
bug#25993; Package guix-patches. (Mon, 06 Mar 2017 18:31:01 GMT) (full text, mbox, link).

Message #11 received at 25993@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
> Is this sufficient?  I see here that two files need this change:
> 
>     https://www.tug.org/svn/texlive?view=revision&revision=42605
> 
> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?

I inspected the built output of texlive, texlive-bin, and texlive-texmf,
and none of them include the texmf.cnf file for kpathsea.

That file does exist in the source.

AFAICT, the only .cnf file in our built package that whitelists mpost is
the one I patched.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#25993; Package guix-patches. (Mon, 06 Mar 2017 21:33:01 GMT) (full text, mbox, link).

Message #14 received at 25993@debbugs.gnu.org (full text, mbox, reply):

Leo Famulari <leo@famulari.name> writes:

> On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
>> Is this sufficient?  I see here that two files need this change:
>> 
>>     https://www.tug.org/svn/texlive?view=revision&revision=42605
>> 
>> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
>
> I inspected the built output of texlive, texlive-bin, and texlive-texmf,
> and none of them include the texmf.cnf file for kpathsea.
>
> That file does exist in the source.
>
> AFAICT, the only .cnf file in our built package that whitelists mpost is
> the one I patched.

Thank you for confirming this.  The patch looks good to me!

-- 
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

Information forwarded to guix-patches@gnu.org:
bug#25993; Package guix-patches. (Mon, 06 Mar 2017 21:50:01 GMT) (full text, mbox, link).

Message #17 received at 25993@debbugs.gnu.org (full text, mbox, reply):

On Mon, Mar 06, 2017 at 10:32:04PM +0100, Ricardo Wurmus wrote:
> 
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Mon, Mar 06, 2017 at 10:02:06AM +0100, Ricardo Wurmus wrote:
> >> Is this sufficient?  I see here that two files need this change:
> >> 
> >>     https://www.tug.org/svn/texlive?view=revision&revision=42605
> >> 
> >> Should “trunk/Build/source/texk/kpathsea/texmf.cnf” also be patched?
> >
> > I inspected the built output of texlive, texlive-bin, and texlive-texmf,
> > and none of them include the texmf.cnf file for kpathsea.
> >
> > That file does exist in the source.
> >
> > AFAICT, the only .cnf file in our built package that whitelists mpost is
> > the one I patched.
> 
> Thank you for confirming this.  The patch looks good to me!

Thanks for your review!

Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5

By the way, I'd normally adjust the patch to use the default patch-level
of 'p1', and to include another, more descriptive, link about the bug.
But I lack the disk space to rebuild texlive again. Building it before
and after the bug-fix, for testing, used ~12 GB.

Added tag(s) fixed. Request was from Ricardo Wurmus <rekado@elephly.net> to control@debbugs.gnu.org. (Thu, 09 Mar 2017 08:07:02 GMT) (full text, mbox, link).

Reply sent to Ricardo Wurmus <rekado@elephly.net>:
You have taken responsibility. (Thu, 09 Mar 2017 08:15:02 GMT) (full text, mbox, link).

Notification sent to Leo Famulari <leo@famulari.name>:
bug acknowledged by developer. (Thu, 09 Mar 2017 08:15:02 GMT) (full text, mbox, link).

Message #24 received at 25993-done@debbugs.gnu.org (full text, mbox, reply):

> Pushed as e20784e65efa7c783792e8a830d4b4aaf35750d5

Closing.

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Thu, 06 Apr 2017 11:24:05 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Mon Nov 4 22:17:23 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.