[blfs-support] Vulnerability in latex.

Ken Moffat zarniwhoop at ntlworld.com
Wed Dec 7 14:10:31 PST 2016

In the absence of a security list, and because the fix is not an
update to a newer version: Users of latex should be aware that
a new vulnerability was announced at the end of last month.

This also applies to those who installed latex from the binary
and have not used tlmgr.  I assume that new binary installs in the
past few days have already included the fix, which is to remove
mpost from the shell_escape_commands in texmf.cnf (my machine where
I had a binary install is currently broken, can't check).

Rather than alter the install to remove that line early on, in this
case I have added a new command at the end of the source install,
prefixed "Now, or if returning here because you were advised, fix a
new vulnerability."

Normally this sort of information would only be included in the
Errata, and in the tickets (e.g. defect with priority high or
greater).  Because this does not seem to be as well known even as
the current vulnerability to all kernels (local user privilege
escalation), and the POC described it as pwning a co-worker's
laptop, on this occasion I am mentioning it here.

`I shall take my mountains', said Lu-Tze. `The climate will be good
for them.'     -- Small Gods

More information about the blfs-support mailing list