From a5c3f4d576c47a1bc1984b1a5c18d1c0f4d322f2 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Tue, 7 Mar 2017 21:20:33 +0100
Subject: [PATCH] fix bz#1429452, mpost allows to run non-whitelisted external
 program

---
 texlive-mpost-CVE-2016-10243.patch | 31 ++++++++++++++++++++++++++++++
 texlive.spec                       | 12 +++++++++---
 2 files changed, 40 insertions(+), 3 deletions(-)
 create mode 100644 texlive-mpost-CVE-2016-10243.patch

diff --git a/texlive-mpost-CVE-2016-10243.patch b/texlive-mpost-CVE-2016-10243.patch
new file mode 100644
index 0000000..2d7b19a
--- /dev/null
+++ b/texlive-mpost-CVE-2016-10243.patch
@@ -0,0 +1,31 @@
+diff -up texlive-2016/source/inst/share/texmf-dist/web2c/texmf.cnf.than texlive-2016/source/inst/share/texmf-dist/web2c/texmf.cnf
+--- texlive-2016/source/inst/share/texmf-dist/web2c/texmf.cnf.than	2017-03-07 17:39:23.327888786 +0100
++++ texlive-2016/source/inst/share/texmf-dist/web2c/texmf.cnf	2017-03-07 17:39:37.413355544 +0100
+@@ -568,7 +568,6 @@ extractbb,\
+ gregorio,\
+ kpsewhich,\
+ makeindex,\
+-mpost,\
+ repstopdf,\
+ 
+ % we'd like to allow:
+diff -U0 texlive-2016/source/texk/kpathsea/ChangeLog.than texlive-2016/source/texk/kpathsea/ChangeLog
+--- texlive-2016/source/texk/kpathsea/ChangeLog.than	2017-03-07 17:36:09.052243607 +0100
++++ texlive-2016/source/texk/kpathsea/ChangeLog	2017-03-07 17:36:55.525484239 +0100
+@@ -0,0 +1,5 @@
++2016-11-30  Karl Berry  <karl@ks.tug.org>
++
++	* texmf.cnf (shell_escape_commands): remove mpost, due to
++	the -tex option. Oops! Report from Bruno Le Floch.
++
+diff -up texlive-2016/source/texk/kpathsea/texmf.cnf.than texlive-2016/source/texk/kpathsea/texmf.cnf
+--- texlive-2016/source/texk/kpathsea/texmf.cnf.than	2017-03-07 17:37:14.160778751 +0100
++++ texlive-2016/source/texk/kpathsea/texmf.cnf	2017-03-07 17:37:39.688812317 +0100
+@@ -568,7 +568,6 @@ extractbb,\
+ gregorio,\
+ kpsewhich,\
+ makeindex,\
+-mpost,\
+ repstopdf,\
+ 
+ % we'd like to allow:
diff --git a/texlive.spec b/texlive.spec
index 6ba605a..202f671 100644
--- a/texlive.spec
+++ b/texlive.spec
@@ -1,6 +1,6 @@
 %global source_date 20160520
 %global tl_version 2016
-%global tl_rel 32
+%global tl_rel 33
 %global tl_release %{tl_rel}.%{source_date}%{?dist}
 %global tl_noarch_release %{tl_rel}%{?dist}
 %global source_name texlive-%{source_date}-source
@@ -57,10 +57,13 @@ Patch2: tl-format.patch
 Patch3: texlive-20160520-selinux-context.patch
 Patch4: texlive-fix-system-teckit.patch
 Patch5: texlive-2016-kpathsea-texlive-path.patch
-Patch100:  texlive-bz979176.patch
+# security fix for bz#979176
+Patch100: texlive-bz979176.patch
 Patch101: etex-addlanguage-fix-bz1215257.patch
 Patch102: texlive-latexpand-perl518.patch
 Patch103: texlive-2016-latexdiff-perl518.patch
+# security fix for bz#1429452, CVE-2016-10243
+Patch104: texlive-mpost-CVE-2016-10243.patch
 Source0: %{source_name}.tar.xz
 Source1: tl2rpm.c
 Source2: texlive.tlpdb
@@ -180022,8 +180025,8 @@ cp %{SOURCE7597} .
 %patch3 -p0
 %patch4 -p0
 %patch5 -p0
-# security fix for bz#979176
 %patch100 -p0
+%patch104 -p1
 for l in `unxz -c %{SOURCE3} | tar t`; do
 ln -s %{_texdir}/licenses/$l $l
 done
@@ -222028,6 +222031,9 @@ fi
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Mar 07 2017 Than Ngo <than@redhat.com> - 6:2016-33.20160520
+- fix bz#1429452, mpost allows to run non-whitelisted external programs
+
 * Mon Feb 20 2017 Tom Callaway <spot@fedoraproject.org> 6:2016-32.20160520
 - fix issue with epstopdf.pl (bz1415301)