Bug#1036470: texlive-bin: CVE-2023-32668

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1036470: texlive-bin: CVE-2023-32668
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 21 May 2023 21:06:55 +0200
Message-id: <[🔎] 168469601544.1390258.4575369345500317012.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1036470@bugs.debian.org

Source: texlive-bin
Version: 2022.20220321.62855-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for texlive-bin.

CVE-2023-32668[0]:
| LuaTeX before 1.17.0 allows a document (compiled with the default
| settings) to make arbitrary network requests. This occurs because full
| access to the socket library is permitted by default, as stated in the
| documentation. This also affects TeX Live before 2023 r66984 and
| MiKTeX before 23.5.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-32668
    https://www.cve.org/CVERecord?id=CVE-2023-32668
[1] https://tug.org/pipermail/tex-live/2023-May/049188.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1036470: texlive-bin: CVE-2023-32668
  - From: Preuße@buxtehude.debian.org, Hilmar <hille42@web.de>

Prev by Date: texlive-bin_2020.20200327.54578-7+deb11u1_sourceonly.changes ACCEPTED into proposed-updates->stable-new
Next by Date: Bug#1036470: texlive-bin: CVE-2023-32668
Previous by thread: texlive-bin_2020.20200327.54578-7+deb11u1_sourceonly.changes ACCEPTED into proposed-updates->stable-new
Next by thread: Bug#1036470: texlive-bin: CVE-2023-32668
Index(es):
- Date
- Thread