[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable

Hi all,

> Version: 2018.20181218.49446-1+deb10u1

> This is LuaTeX, Version 1.07.0 (TeX Live 2019/dev/Debian)

> LaTeX2e <2018-12-01>

This is a very odd set of versions. "2018.20181218.49446" implies
TL2018, but your LuaTeX banner says "TeX Live 2019/dev/Debian". TL2019
contains LuaTeX version 1.07.0 and LaTeX version 2018-12-01, so this
looks like TL19 to me. And having "/dev" in the banner for a released
version is also quite odd.

> cat > test.tex <<EOF
> \documentclass{article}
> \begin{document}
> foo
> \end{document}
> EOF
> lualatex test.tex

Works with the upstream versions.

TeX Live 2019:

   $ type -p lualatex
   /tmp/tl2019/bin/x86_64-linux/lualatex
   
   $ grep -E '^[[:space:]]*(version|date)[[:space:]]*= "' $(kpsewhich luaotfload-configuration.lua)
   version = "2.96", --TAGVERSION
   date = "2019-02-14", --TAGDATE
   
   $ cat ./test.tex 
   \documentclass{article}
   \begin{document}
   foo
   \end{document}
   
   $ lualatex ./test.tex 
   This is LuaTeX, Version 1.10.0 (TeX Live 2019/CVE-2023-32700 patched) 
    restricted system commands enabled.
   (./test.tex
   LaTeX2e <2018-12-01>
   
   luaotfload | main : initialization completed in 0.035 seconds
   (/tmp/tl2019/texmf-dist/tex/latex/base/article.cls
   Document Class: article 2018/09/03 v1.4i Standard LaTeX document class
   (/tmp/tl2019/texmf-dist/tex/latex/base/size10.clo)) (./test.aux) [1{/tmp/tl2019
   /texmf-dist/fonts/map/pdftex/updmap/pdftex.map}] (./test.aux))
    377 words of node memory still in use:
      2 hlist, 1 vlist, 1 rule, 2 glue, 3 kern, 1 glyph, 4 attribute, 44 glue_spec
   , 4 attribute_list, 1 write nodes
      avail lists: 2:15,3:2,4:2,5:22,6:1,7:16,9:7
   </usr/local/texlive/2019/texmf-dist/fonts/opentype/public/lm/lmroman10-regular.
   otf>
   Output written on test.pdf (1 page, 2696 bytes).
   Transcript written on test.log.

TeX Live 2018:

   $ type -p lualatex
   /tmp/tl2018/bin/x86_64-linux/lualatex
   
   $ grep -E '^[[:space:]]*(version|date)[[:space:]]*= "' $(kpsewhich luaotfload-configuration.lua)
     version   = "2.8",
   
   $ cat ./test.tex
   \documentclass{article}
   \begin{document}
   foo
   \end{document}
   
   $ lualatex ./test.tex
   lualatex ./test.tex
   This is LuaTeX, Version 1.07.0 (TeX Live 2018/CVE-2023-32700 patched) 
    restricted system commands enabled.
   (./test.tex
   LaTeX2e <2018-04-01> patch level 2
   (using write cache: /tmp/tl2018/texmf-var/luatex-cache/generic)(using read cach
   e: /tmp/tl2018/texmf-var/luatex-cache/generic /home/mseven/.texlive2018/texmf-v
   ar/luatex-cache/generic)
   luaotfload | main : initialization completed in 0.055 seconds
   Babel <3.18> and hyphenation patterns for 1 language(s) loaded.
   (/tmp/tl2018/texmf-dist/tex/latex/base/article.cls
   Document Class: article 2014/09/29 v1.4h Standard LaTeX document class
   (/tmp/tl2018/texmf-dist/tex/latex/base/size10.clo(load luc: /tmp/tl2018/texmf-v
   ar/luatex-cache/generic/fonts/otl/lmroman10-regular.luc))) (./test.aux)
   [1{/tmp/tl2018/texmf-dist/fonts/map/pdftex/updmap/pdftex.map}] (./test.aux))
    355 words of node memory still in use:
      2 hlist, 1 vlist, 1 rule, 2 glue, 3 attribute, 45 glue_spec, 3 attribute_lis
   t, 1 write nodes
      avail lists: 2:15,3:3,4:1,5:22,6:1,7:16,8:1,9:6
   </usr/local/texlive/2018/texmf-dist/fonts/opentype/public/lm/lmroman10-regular.
   otf>
   Output written on test.pdf (1 page, 2613 bytes).
   Transcript written on test.log.

> Short question: the web page for the security issue [1] lists a few 
> patches. I downloaded a few of them, but no one is matches to the 
> CVE-2023-32700.patch in the texlive-bin_2018.20181218.49446-1+deb10u1 
> diff. Which patch did you use?

> I don't see any patch differences though.

Your patch [1] is wrong. That patch just cherry-picks 5650c067 [2]:

   +static int io_kpse_popen (lua_State *L) {
   +  const char *filename = NULL;
   +  const char *mode = NULL;
   +  LStream *p = NULL;
   +  filename = luaL_checkstring(L, 1);
   +  mode = luaL_optstring(L, 2, "r");
   +  /* Check filename with kpse.check_permission . */
   +  lua_getglobal(L,"kpse");
   +  lua_getfield(L, -1, "check_permission");

But kpse.check_permission wasn't added until TL2020 [3], meaning that
any call to this io.kpsepopen/io.popen is guaranteed to fail. This is
actually lucky though -- 5650c067 contains a different security
vulnerability that is only resolved in b8b71a25 [4].

To fix this, there are 3 options (pick 1):

   1. Cherry-pick *both* 5650c067 and b8b71a25
      
   2. Follow the instructions in [5]
      
   3. Apply the appropriate patch from [6]

Option (3) will the easiest, but it will only work if your LuaTeX source
very closely corresponds to the source in an upstream TL release.
Otherwise, you'll need to do option (2). Option (1) is the same as
option (2), except I've already gone to the trouble of reducing the
patch to the bare minimum.

Thanks,
-- Max

[1]: https://github.com/debian-tex/texlive-bin/blob/buster/debian/patches/CVE-2023-32700.patch
[2]: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/5650c067
[3]: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/dff83d848ab7e67f7914bceda801b954481bf970#b8825b1e27093ebb7d773bd3810dc1e8bf654ad1_846_848
[4]: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/b8b71a25
[5]: https://tug.org/~mseven/luatex.html#patching
[6]: https://tug.org/~mseven/luatex.html#patches-for-specific
Reply to: