rpm package
opensuse/texlive&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/texlive&distro=openSUSE%20Tumbleweed
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-32700 | — | < 2023.20230311.svn34398-90.1 | 2023.20230311.svn34398-90.1 | May 20, 2023 | LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5. | ||
| CVE-2023-32668 | — | < 2023.20230311.svn34398-90.1 | 2023.20230311.svn34398-90.1 | May 11, 2023 | LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX | ||
| CVE-2020-8016 | — | < 2021.20210325.svn34398-76.3 | 2021.20210325.svn34398-76.3 | Apr 2, 2020 | A Race Condition Enabling Link Following vulnerability in the packaging of texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Le | ||
| CVE-2019-18604 | — | < 2021.20210325.svn34398-76.3 | 2021.20210325.svn34398-76.3 | Oct 29, 2019 | In axohelp.c before 1.3 in axohelp in axodraw2 before 2.1.1b, as distributed in TeXLive and other collections, sprintf is mishandled. | ||
| CVE-2018-17407 | — | < 2021.20210325.svn34398-76.3 | 2021.20210325.svn34398-76.3 | Sep 23, 2018 | An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, d | ||
| CVE-2016-10243 | Cri | 9.8 | < 2021.20210325.svn34398-76.3 | 2021.20210325.svn34398-76.3 | May 2, 2017 | TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file. |
- CVE-2023-32700May 20, 2023affected < 2023.20230311.svn34398-90.1fixed 2023.20230311.svn34398-90.1
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
- CVE-2023-32668May 11, 2023affected < 2023.20230311.svn34398-90.1fixed 2023.20230311.svn34398-90.1
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX
- CVE-2020-8016Apr 2, 2020affected < 2021.20210325.svn34398-76.3fixed 2021.20210325.svn34398-76.3
A Race Condition Enabling Link Following vulnerability in the packaging of texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Le
- CVE-2019-18604Oct 29, 2019affected < 2021.20210325.svn34398-76.3fixed 2021.20210325.svn34398-76.3
In axohelp.c before 1.3 in axohelp in axodraw2 before 2.1.1b, as distributed in TeXLive and other collections, sprintf is mishandled.
- CVE-2018-17407Sep 23, 2018affected < 2021.20210325.svn34398-76.3fixed 2021.20210325.svn34398-76.3
An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, d
- affected < 2021.20210325.svn34398-76.3fixed 2021.20210325.svn34398-76.3
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.