Re: [SECURITY] [DLA 3941-1] texlive-bin security update
Hi Bastien
On Wed, Oct 30, 2024 at 08:56:49AM +0000, rouca@debian.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian LTS Advisory DLA-3941-1 debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ Bastien Roucariès
> October 29, 2024 https://wiki.debian.org/LTS
> - -------------------------------------------------------------------------
>
> Package : texlive-bin
> Version : 2020.20200327.54578-7+deb11u2
> CVE ID : CVE-2023-32668 CVE-2024-25262
> Debian Bug : 1036470 1064517
>
> texlive, a popular software distribution for the TeX typesetting system
> that includes major TeX-related programs, macro packages, and fonts,
> was affected by two vulnerabilties.
>
> CVE-2023-32668
>
> A document (compiled with the default settings)
> was allowed to make arbitrary network requests.
> This occurs because full access to the socket library was
> permitted by default, as stated in the documentation.
This might actually need a followup for src:context similar to what
was done for bookworm once fixing the CVE (was done in a point release
doe to beeing no-dsa). The problem is highlighted here:
https://www.maxchernoff.ca/p/luatex-vulnerabilities#luasocket
When you install texlive-binaries and context in bullseye:
# apt-get install context texlive-binaries
[...]
Setting up texlive-binaries (2020.20200327.54578-7+deb11u2) ...
[...]
Setting up texlive-metapost (2020.20210202-3) ...
Setting up texlive-luatex (2020.20210202-3) ...
Setting up texlive-plain-generic (2020.20210202-3) ...
Setting up context (2020.03.10.20200331-1) ...
Running mtxrun --generate. This may take some time... done.
Pregenerating ConTeXt MarkIV format. This may take some time...
will hang here.
In bookworm for src:context you have the following change as well
(which might need adaption for older verisons);
https://sources.debian.org/src/context/2021.03.05.20230120%2Bdfsg-1%2Bdeb12u1/debian/patches/enable_socket_in_mtxrun/
Can you have a look?
Regards,
Salvatore
Reply to: