Bug 20401 - texlive new security issue CVE-2016-10243
Summary: texlive new security issue CVE-2016-10243
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Reported: 2017-03-06 02:02 CET by David Walser
Modified: 2017-05-03 11:55 CEST (History)
6 users (show)

See Also:
Source RPM: texlive-20160523-3.mga6.src.rpm
CVE: CVE-2016-10243
Status comment:


Description David Walser 2017-03-06 02:02:23 CET
A CVE has been assigned for a security issue fixed upstream in texlive:

The upstream commit that fixed the issue is linked in the message above.

Mageia 5 may also be affected.
David Walser 2017-03-06 02:02:30 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-03-06 08:55:17 CET
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => pmdenielou

Comment 2 David Walser 2017-03-08 12:11:06 CET
Debian has issued an advisory for this today (March 8):
Comment 3 Nicolas Lécureuil 2017-05-01 01:51:27 CEST
Fixed in cauldron

CVE: (none) => CVE-2016-10243
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5
CC: (none) => mageia

Comment 4 Nicolas Lécureuil 2017-05-01 02:03:14 CEST
uploaded in updates_testing 

src.rpm:    texlive-20130530-21.1.mga5

Assignee: pmdenielou => qa-bugs

Comment 5 David Walser 2017-05-01 02:44:06 CEST

Updated texlive packages fix security vulnerability:

It was discovered that texlive whitelists mpost as an external program to be
run from within the TeX source code (called \write18). Since mpost allows to
specify other programs to be run, an attacker can take advantage of this flaw
for arbitrary code execution when compiling a TeX document (CVE-2016-10243).


Updated packages in core/updates_testing:

from texlive-20130530-21.1.mga5.src.rpm
Comment 6 Herman Viaene 2017-05-01 17:00:04 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Googling for some easy test brought me to the test file in the rpm, so first copy small2e.tex from /usr/share/texmf-dist/tex/latex/base/ to Documents and then at CLI:
[xxx@yyyy Documenten]$ texliveonfly -f small2e.tex 
This is pdfTeX, Version 3.1415926-2.5-1.40.14 (TeX Live 2013/Mageia)
 restricted \write18 enabled.
entering extended mode
LaTeX2e <2011/06/27>
Babel <3.9f> and hyphenation patterns for 78 languages loaded.
Document Class: article 2007/10/19 v1.4h Standard LaTeX document class
No file small2e.aux.
(/usr/share/texmf-dist/tex/latex/base/omscmr.fd) [1{/usr/share/texmf-dist/fonts
/map/pdftex/updmap/pdftex.map}] (./small2e.aux) )</usr/share/texmf-dist/fonts/t
Output written on small2e.pdf (1 page, 60627 bytes).
SyncTeX written on small2e.synctex.gz.
Transcript written on small2e.log.

Checked the pdf file, looks good.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 7 Lewis Smith 2017-05-02 12:35:03 CEST
Before testing M5x64

1) The references given lead to no PoC.

2) Wondering what programs texlive provides is astonishing:-
a5toa4 adhocfilelist afm2pl afm2tfm aleph allcm allec allneeded amstex arara bbox bg5conv bg5latex bg5+latex bg5pdflatex bg5+pdflatex biber bibtex bibtex8 bibtexu cef5conv cef5latex cef5pdflatex cefconv ceflatex cefpdflatex cefsconv cefslatex cefspdflatex cfftot1 context convbkmk cslatex csplain ctangle ctanify ctanupload ctie ctxtools cweave checkcites chktex chkweb detex devnag deweb disdvi dosepsbin dt2dv dtxgen dv2dt dvi2fax dvi2tty dvibook dviconcat dvicopy dvidvi dvigif dvihp dvilj dvilj2p dvilj4 dvilj4l dvilj6 dvilualatex dviluatex dvipdfm dvipdfmx dvipdft dvipng dvipos dvips dvired dviselect dvisvgm dvitodvi dvitomp dvitype ebb eplain eptex etex euptex exceltex extconv extractbb fmtutil fmtutil-sys fontinst gbklatex gbkpdflatex gftodvi gftopk gftype gsftopk hbf2gf inimf initex installfont-tl kanji-config-updmap kanji-config-updmap-sys kanji-fontmap-creator kpseaccess kpsepath kpsereadlink kpsestat kpsetool kpsewhere kpsewhich kpsexpand lacheck lamed latex latexfileversion latexpand listbib ltxfileinfo lua2dox_filter lualatex luaotfload-tool luatex luatools mag makeindex makejvf match_parens mendex metafun mex mf mf2pt1 mf-nowin mfplain mft mkindex mkocp mkofm mktexfmt mktexlsr mktexmf mktexpk mktextfm mltex mllatex mmafm mmpfb mpost m-tx mtxrun multibibliography musixflx musixtex odvicopy odvitype ofm2opl omfonts opl2ofm otangle otfinfo-texlive otftotfm otp2ocp outocp ovf2ovp ovp2ovf patgen pbibtex pdfclose pdfcslatex pdfcsplain pdfetex pdflatex pdfmex pdfopen pdftex pdftosrc pdvitype pedigree pfarrei pfb2pfa pk2bm pktogf pktype platex pltotf pmx2pdf pmxab pooltype ppltotf prepmx ps2eps ps2frag ps2pk pslatex pstopdf ptex ptex2pdf ptftopl physe phyzzx rubibtex rumakeindex scor2prt sjisconv sjislatex sjispdflatex sty2dtx synctex t1dotlessj t1lint t1rawafm t1reencode t1testpage t4ht tangle tcdialog teckit_compile tex tex4ht texconfig texconfig-dialog texconfig-sys texdef texexec texhash texlinks texliveonfly texlua texluac texmf texmfstart texsis tftopl tie tpic2pdftex ttf2afm ttf2pk ttf2tfm ttfdump ttftotype42 typeoutfileinfo upbibtex updmap-sys updvitype uppltotf uptex uptftopl urlbst utf8mex vftovp vlna vptovf weave web2c wovp2ovf xdvi xdvipdfmx xdvi-xaw xelatex xetex !

CC: (none) => lewyssmith

Comment 8 David Walser 2017-05-02 12:39:55 CEST
The only affected programs would be ones linked to libkpathsea.so.6 (you can check the binaries with ldd).  I haven't checked myself, but there should be at least one in the texlive package, as well as atril-dvi and evince-dvi.
Comment 9 Lewis Smith 2017-05-03 10:55:42 CEST
Testing M5_64

I installed Lyx to produce [export] .dvi and .tex files (beware: pulls in 500Mb pkgs); and atril-dvi & evince-dvi. Both viewers then display .dvi OK. Stracing them (STDERR, 2, is the stream to capture) revealed *no* call to libkpathsea.so.

Trying before update as per Comment 6 ["This program downloads TeX Live packages "on the fly" while compiling .tex documents"]; the -f option overrides an error:
 $ texliveonfly -f <file>.tex
produces <file>.aux  <file>.log  <file>.pdf <file>.synctex.gz
along with a lot of console O/P. No sign of libkpathsea.so when straced. The PDFs viewed correctly.

Updated to:
All results with
 $ atril <file>.dvi
 $ evince <file>.dvi
 $ texliveonfly -f <file>.tex
similar to previously.
But better...
 $ strace xdvi splash.dvi 2>&1 | grep libkpathsea
 open("/usr/lib64/tls/x86_64/libkpathsea.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT  (No such file or directory)
 open("/usr/lib64/tls/libkpathsea.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such  file or directory)
 open("/usr/lib64/x86_64/libkpathsea.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
 open("/usr/lib64/libkpathsea.so.6", O_RDONLY|O_CLOEXEC) = 3
shows that *this* does call the library in question; the display was correct.

OKing, validating, advisory to follow immediately.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Lewis Smith 2017-05-03 11:01:20 CEST

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 10 Mageia Robot 2017-05-03 11:55:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.