| Name | CVE-2017-17513 |
| Description | TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| context (PTS) | bullseye | 2020.03.10.20200331-1 | vulnerable |
| bullseye (security) | 2020.03.10.20200331-1+deb11u1 | vulnerable | |
| bookworm | 2021.03.05.20230120+dfsg-1+deb12u1 | vulnerable | |
| sid, trixie | 2024.04.01.20240428+dfsg-2 | vulnerable | |
| texlive-base (PTS) | bullseye | 2020.20210202-3 | vulnerable |
| bookworm | 2022.20230122-3 | vulnerable | |
| trixie | 2024.20241102-1 | vulnerable | |
| sid | 2024.20241115-1 | vulnerable | |
| texlive-bin (PTS) | bullseye | 2020.20200327.54578-7+deb11u1 | vulnerable |
| bullseye (security) | 2020.20200327.54578-7+deb11u2 | vulnerable | |
| bookworm | 2022.20220321.62855-5.1+deb12u1 | vulnerable | |
| sid, trixie | 2024.20240313.70630+ds-5 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| context | source | wheezy | (not affected) | |||
| context | source | (unstable) | (unfixed) | unimportant | ||
| texlive-base | source | wheezy | (not affected) | |||
| texlive-base | source | (unstable) | (unfixed) | unimportant | ||
| texlive-bin | source | wheezy | (not affected) | |||
| texlive-bin | source | (unstable) | (unfixed) | unimportant |
[wheezy] - texlive-base <not-affected> (Vulnerable code do not exist)
[wheezy] - texlive-bin <not-affected> (Vulnerable code do not exist)
[wheezy] - context <not-affected> (Vulnerable code do not exist)
https://sources.debian.org/src/texlive-base/2017.20171128-1/texmf-dist/tex/luatex/lualibs/lualibs-os.lua/#L153
https://sources.debian.org/src/texlive-bin/2016.20160513.41080.dfsg-2/texk/texlive/linked_scripts/context/stubs/unix/mtxrun/#L3004
https://sources.debian.org/src/context/2017.05.15.20170613-2/texmf-dist/scripts/context/stubs/mswin/mtxrun.lua/?hl=3424#L3424