Hello community, here is the log from the commit of package texlive-specs-m for openSUSE:Factory checked in at 2017-03-10 21:04:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/texlive-specs-m (Old) and /work/SRC/openSUSE:Factory/.texlive-specs-m.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "texlive-specs-m" Fri Mar 10 21:04:51 2017 rev:27 rq:477764 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/texlive-specs-m/texlive-specs-m.changes 2016-12-11 13:23:11.390820314 +0100 +++ /work/SRC/openSUSE:Factory/.texlive-specs-m.new/texlive-specs-m.changes 2017-03-10 21:04:53.326584065 +0100 @@ -1,0 +2,9 @@ +Wed Mar 8 12:02:02 UTC 2017 - werner@suse.de + +- Modify patch kpathsea_cnf.dif to remove mpost from the allowed + shell escaping commands (bsc#1028271, CVE-2016-10243) +- Add some lines to %post scriplet for kpathsea to remove mpost + also from an already existing but not becoming replaced + configuration file texmf.cnf + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ texlive-specs-m.spec ++++++ --- /var/tmp/diff_new_pack.VEp43O/_old 2017-03-10 21:04:59.225748144 +0100 +++ /var/tmp/diff_new_pack.VEp43O/_new 2017-03-10 21:04:59.241745877 +0100 @@ -1,7 +1,7 @@ # # spec file for package texlive-specs-m # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define texlive_version 2016 %define texlive_previous 2015 %define texlive_release 20160523 -%define texlive_noarch 113 +%define texlive_noarch 115 #!BuildIgnore: texlive @@ -5490,6 +5490,9 @@ fi rm -f $new $old fi +if test -s %{_texmfconfdir}/web2c/texmf.cnf.rpmnew ; then + sed -ri '/^shell_escape_commands = \\/,/^mpost,\\/{ /mpost,\\/d }' %{_texmfconfdir}/web2c/texmf.cnf || : +fi mkdir -p /var/run/texlive
/var/run/texlive/run-mktexlsr /var/run/texlive/run-update
++++++ kpathsea_cnf.dif ++++++ --- /var/tmp/diff_new_pack.VEp43O/_old 2017-03-10 21:04:59.541703372 +0100 +++ /var/tmp/diff_new_pack.VEp43O/_new 2017-03-10 21:04:59.545702806 +0100 @@ -1,8 +1,8 @@ --- texmf-dist/web2c/fmtutil.cnf | 17 ++-- texmf-dist/web2c/mktex.opt | 39 +++++++-- - texmf-dist/web2c/texmf.cnf | 173 +++++++++++++++++++++++++------------------ - 3 files changed, 141 insertions(+), 88 deletions(-) + texmf-dist/web2c/texmf.cnf | 174 +++++++++++++++++++++++++------------------ + 3 files changed, 141 insertions(+), 89 deletions(-) --- texmf-dist/web2c/fmtutil.cnf +++ texmf-dist/web2c/fmtutil.cnf 2015-03-30 10:44:48.993518643 +0000 @@ -120,7 +120,7 @@ # Cache values that may be useful for recursive calls. export MT_MKTEX_OPT MT_MKTEX_CNF --- texmf-dist/web2c/texmf.cnf -+++ texmf-dist/web2c/texmf.cnf 2016-06-08 12:46:52.763486323 +0000 ++++ texmf-dist/web2c/texmf.cnf 2017-03-08 12:00:48.739774801 +0000 @@ -57,32 +57,32 @@ TEXMFROOT = $SELFAUTOPARENT @@ -412,7 +412,15 @@ % % For reference, here is the old brace-using definition: %TEXMFCNF = {$SELFAUTOLOC,$SELFAUTODIR,$SELFAUTOPARENT}{,{/share,}/texmf{-local,}/web2c} -@@ -791,3 +792,33 @@ max_cols.gftype = 8191 +@@ -568,7 +569,6 @@ extractbb,\ + gregorio,\ + kpsewhich,\ + makeindex,\ +-mpost,\ + repstopdf,\ + + % we'd like to allow: +@@ -791,3 +791,33 @@ max_cols.gftype = 8191 % Guess input encoding (SJIS vs. Unicode, etc.) in pTeX and friends? % Default is 0, to not guess. guess_input_kanji_encoding = 1