PT-2017-14824 · Tex Users+1 · Tex Live+1
Publicado
2017-12-14
·
Atualizado
2018-01-02
·
CVE-2017-17513
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TeX Live versions through 20170524
Description
The issue is related to the lack of validation of strings before launching the program specified by the BROWSER environment variable. This could allow remote attackers to conduct argument-injection attacks via a crafted URL. The affected files include linked scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
Recommendations
For TeX Live versions through 20170524, consider validating strings before launching the program specified by the BROWSER environment variable to prevent argument-injection attacks. As a temporary workaround, restrict the use of the BROWSER environment variable until a patch is available.
Correção
Special Elements Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Debian
Tex Live