Hi Markus, > Would you like to take care of this yourself?
I have prepared a new package and tried to build it in my wheezy chroot/cowbuilder, but that ended in segfaults. It seems that either my wheezy chroot is broken, or the binaries in wheezy (bash) cannot run anymore on my sid system. Thus, I send you the debdiff and ask you to build and upload. Testing can be minimal (install test), since the only change is removing one line from the configuration texmf.cnf so that mpost cannot be called (see debdiff). If you need anything else from me, please let me know. I can build and sign the packages on my sid system, but I'm not sure whether this is a good idea. If you want me to build on sid, sign, and upload, let me know. All the best Norbert -- PREINING Norbert http://www.preining.info Accelia Inc. + JAIST + TeX Live + Debian Developer GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
diff -Nru texlive-base-2012.20120611/debian/changelog texlive-base-2012.20120611/debian/changelog --- texlive-base-2012.20120611/debian/changelog 2012-10-03 21:01:59.000000000 +0900 +++ texlive-base-2012.20120611/debian/changelog 2017-03-07 10:54:45.000000000 +0900 @@ -1,3 +1,9 @@ +texlive-base (2012.20120611-5+deb7u1) wheezy-security; urgency=high + + * remove mpost from list of shell_escape_commands (CVE-2016-10243) + + -- Norbert Preining <[email protected]> Tue, 07 Mar 2017 10:54:45 +0900 + texlive-base (2012.20120611-5) unstable; urgency=low * properly purge some conffiles (Closes: #688382) diff -Nru texlive-base-2012.20120611/debian/patches/fix-tex-arbitrary-code-execution texlive-base-2012.20120611/debian/patches/fix-tex-arbitrary-code-execution --- texlive-base-2012.20120611/debian/patches/fix-tex-arbitrary-code-execution 1970-01-01 09:00:00.000000000 +0900 +++ texlive-base-2012.20120611/debian/patches/fix-tex-arbitrary-code-execution 2017-03-07 10:54:45.000000000 +0900 @@ -0,0 +1,14 @@ +--- + texmf/web2c/texmf.cnf | 1 - + 1 file changed, 1 deletion(-) + +--- texlive-base-2012.20120611.orig/texmf/web2c/texmf.cnf ++++ texlive-base-2012.20120611/texmf/web2c/texmf.cnf +@@ -548,7 +548,6 @@ + bibtex,bibtex8,\ + kpsewhich,\ + makeindex,\ +-mpost,\ + repstopdf,\ + + % we'd like to allow: diff -Nru texlive-base-2012.20120611/debian/patches/series texlive-base-2012.20120611/debian/patches/series --- texlive-base-2012.20120611/debian/patches/series 2012-10-03 20:51:14.000000000 +0900 +++ texlive-base-2012.20120611/debian/patches/series 2017-03-07 10:53:23.000000000 +0900 @@ -24,3 +24,4 @@ fix-natbib-add-spaces upstream_updmap-ignoring-settings upstream_fix_babel_french_days +fix-tex-arbitrary-code-execution
