First published: Thu Dec 14 2017(Updated: )
TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Tug Tex Live | <=20170524 | |
debian/context | <=2018.04.04.20181118-1<=2020.03.10.20200331-1<=2021.03.05.20230120+dfsg-1+deb12u1<=2023.05.05.20230730+dfsg-2 | |
debian/texlive-base | <=2018.20190227-2<=2020.20210202-3<=2022.20230122-3<=2023.20231007-1 | |
debian/texlive-bin | <=2018.20181218.49446-1<=2018.20181218.49446-1+deb10u2<=2020.20200327.54578-7+deb11u1<=2022.20220321.62855-5.1+deb12u1<=2023.20230311.66589-6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-17513 is a vulnerability in TeX Live through 20170524 that allows remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17513 affects TeX Live through 20170524.
CVE-2017-17513 has a severity rating of 8.8 (high).
The software packages affected by CVE-2017-17513 include 'context', 'texlive-base', 'texlive-bin', and 'Tug Tex Live'.
No fixes or remedies are currently available for CVE-2017-17513.