fix bz#1429452, mpost allows to run non-whitelisted external program

2017-03-07 21:20:33 +01:00 · 2017-03-07 21:20:33 +01:00 · a5c3f4d576
commit a5c3f4d576
parent 1d23a55d6a
2 changed files with 40 additions and 3 deletions
--- a/texlive-mpost-CVE-2016-10243.patch
+++ b/texlive-mpost-CVE-2016-10243.patch
@ -0,0 +1,31 @@
+diff -up texlive-2016/source/inst/share/texmf-dist/web2c/texmf.cnf.than texlive-2016/source/inst/share/texmf-dist/web2c/texmf.cnf
+--- texlive-2016/source/inst/share/texmf-dist/web2c/texmf.cnf.than	2017-03-07 17:39:23.327888786 +0100
+++ texlive-2016/source/inst/share/texmf-dist/web2c/texmf.cnf	2017-03-07 17:39:37.413355544 +0100
+@@ -568,7 +568,6 @@ extractbb,\
+ gregorio,\
+ kpsewhich,\
+ makeindex,\
+-mpost,\
+ repstopdf,\
+ 
+ % we'd like to allow:
+diff -U0 texlive-2016/source/texk/kpathsea/ChangeLog.than texlive-2016/source/texk/kpathsea/ChangeLog
+--- texlive-2016/source/texk/kpathsea/ChangeLog.than	2017-03-07 17:36:09.052243607 +0100
+++ texlive-2016/source/texk/kpathsea/ChangeLog	2017-03-07 17:36:55.525484239 +0100
+@@ -0,0 +1,5 @@
+2016-11-30  Karl Berry  <karl@ks.tug.org>
+
+	* texmf.cnf (shell_escape_commands): remove mpost, due to
+	the -tex option. Oops! Report from Bruno Le Floch.
+
+diff -up texlive-2016/source/texk/kpathsea/texmf.cnf.than texlive-2016/source/texk/kpathsea/texmf.cnf
+--- texlive-2016/source/texk/kpathsea/texmf.cnf.than	2017-03-07 17:37:14.160778751 +0100
+++ texlive-2016/source/texk/kpathsea/texmf.cnf	2017-03-07 17:37:39.688812317 +0100
+@@ -568,7 +568,6 @@ extractbb,\
+ gregorio,\
+ kpsewhich,\
+ makeindex,\
+-mpost,\
+ repstopdf,\
+ 
+ % we'd like to allow:
--- a/texlive.spec
+++ b/texlive.spec
@ -1,6 +1,6 @@
 %global source_date 20160520
 %global tl_version 2016
-%global tl_rel 32
+%global tl_rel 33
 %global tl_release %{tl_rel}.%{source_date}%{?dist}
 %global tl_noarch_release %{tl_rel}%{?dist}
 %global source_name texlive-%{source_date}-source
@ -57,10 +57,13 @@ Patch2: tl-format.patch
 Patch3: texlive-20160520-selinux-context.patch
 Patch4: texlive-fix-system-teckit.patch
 Patch5: texlive-2016-kpathsea-texlive-path.patch
-Patch100:  texlive-bz979176.patch
+# security fix for bz#979176
+Patch100: texlive-bz979176.patch
 Patch101: etex-addlanguage-fix-bz1215257.patch
 Patch102: texlive-latexpand-perl518.patch
 Patch103: texlive-2016-latexdiff-perl518.patch
+# security fix for bz#1429452, CVE-2016-10243
+Patch104: texlive-mpost-CVE-2016-10243.patch
 Source0: %{source_name}.tar.xz
 Source1: tl2rpm.c
 Source2: texlive.tlpdb
@ -180022,8 +180025,8 @@ cp %{SOURCE7597} .
 %patch3 -p0
 %patch4 -p0
 %patch5 -p0
-# security fix for bz#979176
 %patch100 -p0
+%patch104 -p1
 for l in `unxz -c %{SOURCE3} | tar t`; do
 ln -s %{_texdir}/licenses/$l $l
 done
@ -222028,6 +222031,9 @@ fi
 %{_libdir}/pkgconfig/*.pc

 %changelog
+* Tue Mar 07 2017 Than Ngo <than@redhat.com> - 6:2016-33.20160520
+- fix bz#1429452, mpost allows to run non-whitelisted external programs
+
 * Mon Feb 20 2017 Tom Callaway <spot@fedoraproject.org> 6:2016-32.20160520
 - fix issue with epstopdf.pl (bz1415301)