A CVE has been assigned for a security issue fixed upstream in texlive: http://openwall.com/lists/oss-security/2017/03/05/1 The upstream commit that fixed the issue is linked in the message above. Mageia 5 may also be affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => pmdenielou
Debian has issued an advisory for this today (March 8): https://www.debian.org/security/2017/dsa-3803
Fixed in cauldron
CVE: (none) => CVE-2016-10243Whiteboard: MGA5TOO => (none)Version: Cauldron => 5CC: (none) => mageia
uploaded in updates_testing src.rpm: texlive-20130530-21.1.mga5
Assignee: pmdenielou => qa-bugs
Advisory: ======================== Updated texlive packages fix security vulnerability: It was discovered that texlive whitelists mpost as an external program to be run from within the TeX source code (called \write18). Since mpost allows to specify other programs to be run, an attacker can take advantage of this flaw for arbitrary code execution when compiling a TeX document (CVE-2016-10243). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243 https://www.debian.org/security/2017/dsa-3803 ======================== Updated packages in core/updates_testing: ======================== texlive-20130530-21.1.mga5 libkpathsea6-20130530-21.1.mga5 libkpathsea-devel-20130530-21.1.mga5 libkpathsea-static-devel-20130530-21.1.mga5 libptexenc1-20130530-21.1.mga5 libptexenc-devel-20130530-21.1.mga5 libptexenc-static-devel-20130530-21.1.mga5 from texlive-20130530-21.1.mga5.src.rpm
MGA5-32 on Asus A6000VM Xfce No installation issues. Googling for some easy test brought me to the test file in the rpm, so first copy small2e.tex from /usr/share/texmf-dist/tex/latex/base/ to Documents and then at CLI: [xxx@yyyy Documenten]$ texliveonfly -f small2e.tex This is pdfTeX, Version 3.1415926-2.5-1.40.14 (TeX Live 2013/Mageia) restricted \write18 enabled. entering extended mode (./small2e.tex LaTeX2e <2011/06/27> Babel <3.9f> and hyphenation patterns for 78 languages loaded. (/usr/share/texmf-dist/tex/latex/base/article.cls Document Class: article 2007/10/19 v1.4h Standard LaTeX document class (/usr/share/texmf-dist/tex/latex/base/size10.clo)) No file small2e.aux. (/usr/share/texmf-dist/tex/latex/base/omscmr.fd) [1{/usr/share/texmf-dist/fonts /map/pdftex/updmap/pdftex.map}] (./small2e.aux) )</usr/share/texmf-dist/fonts/t ype1/public/amsfonts/cm/cmbx10.pfb></usr/share/texmf-dist/fonts/type1/public/am sfonts/cm/cmbx12.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr1 0.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb></usr/sh are/texmf-dist/fonts/type1/public/amsfonts/cm/cmti10.pfb> Output written on small2e.pdf (1 page, 60627 bytes). SyncTeX written on small2e.synctex.gz. Transcript written on small2e.log. Checked the pdf file, looks good.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Before testing M5x64 1) The references given lead to no PoC. 2) Wondering what programs texlive provides is astonishing:- a5toa4 adhocfilelist afm2pl afm2tfm aleph allcm allec allneeded amstex arara bbox bg5conv bg5latex bg5+latex bg5pdflatex bg5+pdflatex biber bibtex bibtex8 bibtexu cef5conv cef5latex cef5pdflatex cefconv ceflatex cefpdflatex cefsconv cefslatex cefspdflatex cfftot1 context convbkmk cslatex csplain ctangle ctanify ctanupload ctie ctxtools cweave checkcites chktex chkweb detex devnag deweb disdvi dosepsbin dt2dv dtxgen dv2dt dvi2fax dvi2tty dvibook dviconcat dvicopy dvidvi dvigif dvihp dvilj dvilj2p dvilj4 dvilj4l dvilj6 dvilualatex dviluatex dvipdfm dvipdfmx dvipdft dvipng dvipos dvips dvired dviselect dvisvgm dvitodvi dvitomp dvitype ebb eplain eptex etex euptex exceltex extconv extractbb fmtutil fmtutil-sys fontinst gbklatex gbkpdflatex gftodvi gftopk gftype gsftopk hbf2gf inimf initex installfont-tl kanji-config-updmap kanji-config-updmap-sys kanji-fontmap-creator kpseaccess kpsepath kpsereadlink kpsestat kpsetool kpsewhere kpsewhich kpsexpand lacheck lamed latex latexfileversion latexpand listbib ltxfileinfo lua2dox_filter lualatex luaotfload-tool luatex luatools mag makeindex makejvf match_parens mendex metafun mex mf mf2pt1 mf-nowin mfplain mft mkindex mkocp mkofm mktexfmt mktexlsr mktexmf mktexpk mktextfm mltex mllatex mmafm mmpfb mpost m-tx mtxrun multibibliography musixflx musixtex odvicopy odvitype ofm2opl omfonts opl2ofm otangle otfinfo-texlive otftotfm otp2ocp outocp ovf2ovp ovp2ovf patgen pbibtex pdfclose pdfcslatex pdfcsplain pdfetex pdflatex pdfmex pdfopen pdftex pdftosrc pdvitype pedigree pfarrei pfb2pfa pk2bm pktogf pktype platex pltotf pmx2pdf pmxab pooltype ppltotf prepmx ps2eps ps2frag ps2pk pslatex pstopdf ptex ptex2pdf ptftopl physe phyzzx rubibtex rumakeindex scor2prt sjisconv sjislatex sjispdflatex sty2dtx synctex t1dotlessj t1lint t1rawafm t1reencode t1testpage t4ht tangle tcdialog teckit_compile tex tex4ht texconfig texconfig-dialog texconfig-sys texdef texexec texhash texlinks texliveonfly texlua texluac texmf texmfstart texsis tftopl tie tpic2pdftex ttf2afm ttf2pk ttf2tfm ttfdump ttftotype42 typeoutfileinfo upbibtex updmap-sys updvitype uppltotf uptex uptftopl urlbst utf8mex vftovp vlna vptovf weave web2c wovp2ovf xdvi xdvipdfmx xdvi-xaw xelatex xetex !
CC: (none) => lewyssmith
The only affected programs would be ones linked to libkpathsea.so.6 (you can check the binaries with ldd). I haven't checked myself, but there should be at least one in the texlive package, as well as atril-dvi and evince-dvi.
Testing M5_64 I installed Lyx to produce [export] .dvi and .tex files (beware: pulls in 500Mb pkgs); and atril-dvi & evince-dvi. Both viewers then display .dvi OK. Stracing them (STDERR, 2, is the stream to capture) revealed *no* call to libkpathsea.so. Trying before update as per Comment 6 ["This program downloads TeX Live packages "on the fly" while compiling .tex documents"]; the -f option overrides an error: $ texliveonfly -f <file>.tex produces <file>.aux <file>.log <file>.pdf <file>.synctex.gz along with a lot of console O/P. No sign of libkpathsea.so when straced. The PDFs viewed correctly. Updated to: lib64kpathsea6-20130530-21.1.mga5 lib64ptexenc1-20130530-21.1.mga5 texlive-20130530-21.1.mga5 All results with $ atril <file>.dvi $ evince <file>.dvi $ texliveonfly -f <file>.tex similar to previously. But better... $ strace xdvi splash.dvi 2>&1 | grep libkpathsea open("/usr/lib64/tls/x86_64/libkpathsea.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/tls/libkpathsea.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/x86_64/libkpathsea.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/libkpathsea.so.6", O_RDONLY|O_CLOEXEC) = 3 shows that *this* does call the library in question; the display was correct. OKing, validating, advisory to follow immediately.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0127.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED