Re: [SECURITY] [DLA 3941-1] texlive-bin security update

To: Bastien Roucariès <rouca@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 3941-1] texlive-bin security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 4 Nov 2024 17:11:52 +0100
Message-id: <[🔎] ZyjySGLfqi9WP04U@eldamar.lan>
Mail-followup-to: Bastien Roucariès <rouca@debian.org>, debian-lts@lists.debian.org
In-reply-to: <b651b7726c8c6114c788f0f35a06beda.rouca@debian.org>
References: <b651b7726c8c6114c788f0f35a06beda.rouca@debian.org>

Hi Bastien

On Wed, Oct 30, 2024 at 08:56:49AM +0000, rouca@debian.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> - -------------------------------------------------------------------------
> Debian LTS Advisory DLA-3941-1                debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                   Bastien Roucariès
> October 29, 2024                              https://wiki.debian.org/LTS
> - -------------------------------------------------------------------------
> 
> Package        : texlive-bin
> Version        : 2020.20200327.54578-7+deb11u2
> CVE ID         : CVE-2023-32668 CVE-2024-25262
> Debian Bug     : 1036470 1064517
> 
> texlive, a popular software distribution for the TeX typesetting system
> that includes major TeX-related programs, macro packages, and fonts,
> was affected by two vulnerabilties.
> 
> CVE-2023-32668
> 
>     A document (compiled with the default settings)
>     was allowed to make arbitrary network requests.
>     This occurs because full access to the socket library was
>     permitted by default, as stated in the documentation.

This might actually need a followup for src:context similar to what
was done for bookworm once fixing the CVE (was done in a point release
doe to beeing no-dsa). The problem is highlighted here:

https://www.maxchernoff.ca/p/luatex-vulnerabilities#luasocket

When you install texlive-binaries and context in bullseye:

# apt-get install context texlive-binaries
[...]
Setting up texlive-binaries (2020.20200327.54578-7+deb11u2) ...
[...]
Setting up texlive-metapost (2020.20210202-3) ...
Setting up texlive-luatex (2020.20210202-3) ...
Setting up texlive-plain-generic (2020.20210202-3) ...
Setting up context (2020.03.10.20200331-1) ...
Running mtxrun --generate. This may take some time... done.
Pregenerating ConTeXt MarkIV format. This may take some time...

will hang here.

In bookworm for src:context you have the following change as well
(which might need adaption for older verisons);

https://sources.debian.org/src/context/2021.03.05.20230120%2Bdfsg-1%2Bdeb12u1/debian/patches/enable_socket_in_mtxrun/

Can you have a look?

Regards,
Salvatore

Reply to:

Prev by Date: Re: Bug#1086602: bullseye-pu: package intel-microcode/3.20240910.1~deb11u1
Next by Date: Testing webkit2gtk update on bullseye
Previous by thread: Re: Bug#1086602: bullseye-pu: package intel-microcode/3.20240910.1~deb11u1
Next by thread: Testing webkit2gtk update on bullseye
Index(es):
- Date
- Thread