Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable

To: Preuße@buxtehude.debian.org, Hilmar <hille42@web.de>
Cc: Markus Koschany <apo@debian.org>, Philippe SWARTVAGHER <phil.swart@gmx.fr>, Maximilian Stein <m@steiny.biz>, 1036891@bugs.debian.org, Max Chernoff <mseven@telus.net>
Subject: Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 31 May 2023 06:59:36 +0200
Message-id: <[🔎] ZHbUOI0uMfTipUwp@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1036891@bugs.debian.org
In-reply-to: <[🔎] ee31b349-f0c3-7060-0ea2-5696f0be8dac@web.de>
References: <[🔎] 64BD1390-D21B-49F0-96E3-B7CBB5E58FDE@gmx.fr> <[🔎] d02af4b1-a72c-8c69-c360-69bafc386958@web.de> <[🔎] 64BD1390-D21B-49F0-96E3-B7CBB5E58FDE@gmx.fr> <[🔎] ZHZCYLWgYwfYFt1D@eldamar.lan> <[🔎] ee31b349-f0c3-7060-0ea2-5696f0be8dac@web.de> <[🔎] 64BD1390-D21B-49F0-96E3-B7CBB5E58FDE@gmx.fr>

Hi Hilmar, hi Markus,

On Tue, May 30, 2023 at 11:32:24PM +0200, Preuße, Hilmar wrote:
> On 30.05.2023 20:37, Salvatore Bonaccorso wrote:
> 
> Hi Salvatore, hi Markus,
> 
> > No, buster is under LTS support which does not have point releases.
> > But as I understand this is a regression from DLA DLA-3427-1, so a
> > regression update might be worth to be issues for it, once there is a
> > fix known.
> > 
> Short question: the web page for the security issue [1] lists a few patches.
> I downloaded a few of them, but no one is matches to the
> CVE-2023-32700.patch in the texlive-bin_2018.20181218.49446-1+deb10u1 diff.
> Which patch did you use?

Source code patch is at https://tug.org/~mseven/luatex.html#patching
but it needs to be expanded as Markus explained, and update the
bytecode.

Just a suspect (and nothing more right now, have not digged deeper)
that there is in the older version of texlive-base something
incompatible with the popen change in buster. In fact diff'ing between
the versions in buster and bulleye,
texmf-dist/tex/luatex/luaotfload/luaotfload-database.lua drops the use
of the local iopopen, which is io.popen.

So (at least one) of the CTAN packages for luatex is causing an issue
(at least luaotfload).

So the security fix for texlive-bin, which I believe is correctly
implemented, causes a functional regression in src:texlive-base for
texlive-luatex, specificially for the luaotfload package? 

Can those changes be backported and a functional regression fix be
done in src:texlive-base or is that becoming too intrusive?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
  - From: Max Chernoff <mseven@telus.net>

References:
- Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
  - From: Philippe SWARTVAGHER <phil.swart@gmx.fr>
- Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
  - From: Preuße@buxtehude.debian.org, Hilmar <hille42@web.de>
- Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
  - From: Preuße@buxtehude.debian.org, Hilmar <hille42@web.de>

Prev by Date: Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
Next by Date: Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
Previous by thread: Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
Next by thread: Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable
Index(es):
- Date
- Thread