CVE-2016-10243
NONE EPSS 93.5%
Published May 2, 20179y ago ยท Modified Jun 17, 20262w ago
Published May 2, 2017 9y ago
Last Modified Jun 17, 2026 2w ago
Description
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
Threat Intelligence
EPSS Exploit Probability
93.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-20 Improper Input Validation Validation
Affected Products 5
| Vendor | Product | Version | Range |
|---|---|---|---|
| debian | debian_linux | 7.0 | any |
| debian | debian_linux | 8.0 | any |
| fedoraproject | fedora | 25 | any |
| fedoraproject | fedora | 26 | any |
| tug | tex_live | * | any |
References 8
- debian.org http://www.debian.org/security/2017/dsa-3803
- openwall.com http://www.openwall.com/lists/oss-security/2017/03/05/1
- securityfocus.com http://www.securityfocus.com/bid/96593
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B7CNJ4HKX7X6V7VMN3UCU7KPY6IX4XRB/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL6PUKPWEXYIPIAZRIX5ZLQWCSALVLFP/
- scumjr.github.io https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/
- security.gentoo.org https://security.gentoo.org/glsa/201709-07
- tug.org https://www.tug.org/svn/texlive?view=revision&revision=42605
Remediation
- tug.org https://www.tug.org/svn/texlive?view=revision&revision=42605