Advisories » MGASA-2017-0127

Updated texlive packages fix security vulnerability

Publication date: 03 May 2017
Modification date: 03 May 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-10243

Description

It was discovered that texlive whitelists mpost as an external program
to be run from within the TeX source code (called \write18). Since
mpost allows to specify other programs to be run, an attacker can take
advantage of this flaw for arbitrary code execution when compiling a TeX
document (CVE-2016-10243).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=20401
• https://www.debian.org/security/2017/dsa-3803
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10243

SRPMS

5/core

• texlive-20130530-21.1.mga5