TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
https://www.tug.org/svn/texlive?view=revision&revision=42605
https://security.gentoo.org/glsa/201709-07
http://www.securityfocus.com/bid/96593