[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036470: texlive-bin: CVE-2023-32668

Hi Hilmar!

On Sun, May 21, 2023 at 09:54:30PM +0200, Preuße, Hilmar wrote:
> On 21.05.2023 21:06, Salvatore Bonaccorso wrote:
> 
> Hello Salvatore,
> 
> > The following vulnerability was published for texlive-bin.
> > 
> > CVE-2023-32668[0]:
> > | LuaTeX before 1.17.0 allows a document (compiled with the default
> > | settings) to make arbitrary network requests. This occurs because full
> > | access to the socket library is permitted by default, as stated in the
> > | documentation. This also affects TeX Live before 2023 r66984 and
> > | MiKTeX before 23.5.
> > 
> 
> I updated to luatex 1.17.0 already in the TeX Live binaries for TL 2023 in
> commit 5348a805847c038d92c80a9b208da48dc527decd, the needed adaptions for
> Context were made, but all that needs to be tested.
> 
> Is that sufficient or do we need to fix all this in bookworm / bullseye too?

Correct, I think this is the correct way to address it for trixie. For
bookworm and bullseye, the impact is low enough that we can either
think of including the fix in a point release or ignore it. When
looking at it it was unclear to me apart ConTeXt, if any other reverse
depndencies might be impacted. According to
https://tug.org/~mseven/luatex.html#luasocket at least ConTeXt might
need change for the default change behviour with the new flag.

Thanks for taking care of this.

Regards,
Salvatore
Reply to: