TeX Live: CVE-2016-10243: whitelists a insecure binary/utility to be run as external program

[Salvatore Bonaccorso <carnil () debian org>]

Hi

Via http://cveform.mitre.org/ CVE-2016-10243 was assigned for the
following issue in the TeX Live system:

> The TeX system allows for calling external programs from within the
> TeX source code (called \write18). This has been restricted to a
> small set of programs since a long time ago.
>
> Unfortunately it turned out that one program in the list, mpost
> (also shipped with TeX Live), allows in turn to specify other
> programs to be run, which allows arbitrary code execution when
> compiling a TeX document.

Upstream commit addressing the issue:

https://www.tug.org/svn/texlive?view=revision&revision=42605

Report on the issue:

https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/

Regards,
Salvatore