Re: Wheezy update of texlive-base?

To: Markus Koschany <apo@debian.org>
Cc: Debian TeX Maintainers <debian-tex-maint@lists.debian.org>, debian-lts@lists.debian.org
Subject: Re: Wheezy update of texlive-base?
From: Norbert Preining <norbert@preining.info>
Date: Tue, 7 Mar 2017 11:08:08 +0900
Message-id: <[🔎] 20170307020808.ekijm7ow2nlbfhvx@burischnitzel.preining.info>
In-reply-to: <[🔎] 20170306085842.kpam2m2q3rf6kbmh@localhost>
References: <[🔎] 20170306085842.kpam2m2q3rf6kbmh@localhost>

Hi Markus,

> Would you like to take care of this yourself?

I have prepared a new package and tried to build it in my
wheezy chroot/cowbuilder, but that ended in segfaults.
It seems that either my wheezy chroot is broken, or the binaries
in wheezy (bash) cannot run anymore on my sid system.

Thus, I send you the debdiff and ask you to build and upload.
Testing can be minimal (install test), since the only change is
removing one line from the configuration texmf.cnf so that mpost
cannot be called (see debdiff).

If you need anything else from me, please let me know. I can 
build and sign the packages on my sid system, but I'm not
sure whether this is a good idea. If you want me to build
on sid, sign, and upload, let me know.

All the best

Norbert

--
PREINING Norbert                               http://www.preining.info
Accelia Inc.     +    JAIST     +    TeX Live     +    Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

diff -Nru texlive-base-2012.20120611/debian/changelog texlive-base-2012.20120611/debian/changelog
--- texlive-base-2012.20120611/debian/changelog	2012-10-03 21:01:59.000000000 +0900
+++ texlive-base-2012.20120611/debian/changelog	2017-03-07 10:54:45.000000000 +0900
@@ -1,3 +1,9 @@
+texlive-base (2012.20120611-5+deb7u1) wheezy-security; urgency=high
+
+  * remove mpost from list of shell_escape_commands (CVE-2016-10243)
+
+ -- Norbert Preining <preining@debian.org>  Tue, 07 Mar 2017 10:54:45 +0900
+
 texlive-base (2012.20120611-5) unstable; urgency=low
 
   * properly purge some conffiles (Closes: #688382)
diff -Nru texlive-base-2012.20120611/debian/patches/fix-tex-arbitrary-code-execution texlive-base-2012.20120611/debian/patches/fix-tex-arbitrary-code-execution
--- texlive-base-2012.20120611/debian/patches/fix-tex-arbitrary-code-execution	1970-01-01 09:00:00.000000000 +0900
+++ texlive-base-2012.20120611/debian/patches/fix-tex-arbitrary-code-execution	2017-03-07 10:54:45.000000000 +0900
@@ -0,0 +1,14 @@
+---
+ texmf/web2c/texmf.cnf |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- texlive-base-2012.20120611.orig/texmf/web2c/texmf.cnf
++++ texlive-base-2012.20120611/texmf/web2c/texmf.cnf
+@@ -548,7 +548,6 @@
+ bibtex,bibtex8,\
+ kpsewhich,\
+ makeindex,\
+-mpost,\
+ repstopdf,\
+ 
+ % we'd like to allow:
diff -Nru texlive-base-2012.20120611/debian/patches/series texlive-base-2012.20120611/debian/patches/series
--- texlive-base-2012.20120611/debian/patches/series	2012-10-03 20:51:14.000000000 +0900
+++ texlive-base-2012.20120611/debian/patches/series	2017-03-07 10:53:23.000000000 +0900
@@ -24,3 +24,4 @@
 fix-natbib-add-spaces
 upstream_updmap-ignoring-settings
 upstream_fix_babel_french_days
+fix-tex-arbitrary-code-execution

Reply to:

Follow-Ups:
- Re: Wheezy update of texlive-base?
  - From: Brian May <bam@debian.org>
- Re: Wheezy update of texlive-base?
  - From: Jonas Meurer <jonas@freesources.org>

References:
- Wheezy update of texlive-base?
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Bug#856993: Warnings "Add \usepackage{fontspec} to the (frenchb.ldf) preamble of your document"
Next by Date: Processing of texlive-base_2016.20170123-5_amd64.changes
Previous by thread: Wheezy update of texlive-base?
Next by thread: Re: Wheezy update of texlive-base?
Index(es):
- Date
- Thread