Bug 1526167 (CVE-2017-17513) - CVE-2017-17513 texlive: Command injection in mswin/mtxrun.lua and lualibs/lualibs-os.lua
Summary: CVE-2017-17513 texlive: Command injection in mswin/mtxrun.lua and lualibs/lua...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-17513
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1526168 1533475 1910706
Blocks: 1526171
TreeView+ depends on / blocked
 
Reported: 2017-12-14 21:10 UTC by Pedro Sampaio
Modified: 2021-02-17 01:05 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-01-11 13:11:53 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2017-12-14 21:10:26 UTC 
TeX Live through 20170524 does not validate strings before launching the
   program specified by the BROWSER environment variable, which might allow
   remote attackers to conduct argument-injection attacks via a crafted URL,
   related to texmf-dist/scripts/context/stubs/mswin/mtxrun.lua and
   texmf-dist/tex/luatex/lualibs/lualibs-os.lua.

References:

https://security-tracker.debian.org/tracker/CVE-2017-17513
Comment 1 Pedro Sampaio 2017-12-14 21:10:52 UTC 
Created texlive tracking bugs for this issue:

Affects: fedora-all [bug 1526168]
Comment 4 Stefan Cornelius 2018-01-11 13:12:11 UTC 
Statement:

This issue did not affect the versions of texlive as shipped with Red Hat Enterprise Linux 6 and 7.
Note You need to log in before you can comment on or make changes to this bug.