CVE-2017-17513

NameCVE-2017-17513
DescriptionTeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
context (PTS)jessie2014.05.21.20140528-2vulnerable
stretch2016.05.17.20160523-1vulnerable
buster2018.04.04.20181118-1vulnerable
bullseye2020.03.10.20200331-1vulnerable
bullseye (security)2020.03.10.20200331-1+deb11u1vulnerable
bookworm2021.03.05.20230120+dfsg-1+deb12u1vulnerable
sid, trixie2024.04.01.20240428+dfsg-2vulnerable
texlive-base (PTS)jessie, jessie (lts)2014.20141024-2+deb8u1vulnerable
stretch2016.20170123-5vulnerable
buster2018.20190227-2vulnerable
bullseye2020.20210202-3vulnerable
bookworm2022.20230122-3vulnerable
trixie2024.20240829-2vulnerable
sid2024.20241102-1vulnerable
texlive-bin (PTS)jessie, jessie (lts)2014.20140926.35254-6+deb8u1vulnerable
stretch (security)2016.20160513.41080.dfsg-2+deb9u1vulnerable
stretch (lts), stretch2016.20160513.41080.dfsg-2+deb9u2vulnerable
buster, buster (lts)2018.20181218.49446-1+deb10u3vulnerable
buster (security)2018.20181218.49446-1+deb10u2vulnerable
bullseye2020.20200327.54578-7+deb11u1vulnerable
bullseye (security)2020.20200327.54578-7+deb11u2vulnerable
bookworm2022.20220321.62855-5.1+deb12u1vulnerable
trixie2024.20240313.70630+ds-4vulnerable
sid2024.20240313.70630+ds-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
contextsourcewheezy(not affected)
contextsource(unstable)(unfixed)unimportant
texlive-basesourcewheezy(not affected)
texlive-basesource(unstable)(unfixed)unimportant
texlive-binsourcewheezy(not affected)
texlive-binsource(unstable)(unfixed)unimportant

Notes

[wheezy] - texlive-base <not-affected> (Vulnerable code do not exist)
[wheezy] - texlive-bin <not-affected> (Vulnerable code do not exist)
[wheezy] - context <not-affected> (Vulnerable code do not exist)
https://sources.debian.org/src/texlive-base/2017.20171128-1/texmf-dist/tex/luatex/lualibs/lualibs-os.lua/#L153
https://sources.debian.org/src/texlive-bin/2016.20160513.41080.dfsg-2/texk/texlive/linked_scripts/context/stubs/unix/mtxrun/#L3004
https://sources.debian.org/src/context/2017.05.15.20170613-2/texmf-dist/scripts/context/stubs/mswin/mtxrun.lua/?hl=3424#L3424

Search for package or bug name: Reporting problems