Bug#1036470: marked as done (texlive-bin: CVE-2023-32668)
Your message dated Thu, 29 Jun 2023 22:13:22 +0000
with message-id <E1qEztC-00CfGt-Eu@fasolo.debian.org>
and subject line Bug#1036470: fixed in texlive-bin 2022.20220321.62855-6
has caused the Debian Bug report #1036470,
regarding texlive-bin: CVE-2023-32668
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1036470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036470
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: texlive-bin: CVE-2023-32668
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 21 May 2023 21:06:55 +0200
- Message-id: <168469601544.1390258.4575369345500317012.reportbug@eldamar.lan>
Source: texlive-bin
Version: 2022.20220321.62855-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for texlive-bin.
CVE-2023-32668[0]:
| LuaTeX before 1.17.0 allows a document (compiled with the default
| settings) to make arbitrary network requests. This occurs because full
| access to the socket library is permitted by default, as stated in the
| documentation. This also affects TeX Live before 2023 r66984 and
| MiKTeX before 23.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-32668
https://www.cve.org/CVERecord?id=CVE-2023-32668
[1] https://tug.org/pipermail/tex-live/2023-May/049188.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: texlive-bin
Source-Version: 2022.20220321.62855-6
Done: Hilmar Preusse <hille42@web.de>
We believe that the bug you reported is fixed in the latest version of
texlive-bin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1036470@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilmar Preusse <hille42@web.de> (supplier of updated texlive-bin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Jun 2023 22:07:12 +0200
Source: texlive-bin
Architecture: source
Version: 2022.20220321.62855-6
Distribution: unstable
Urgency: medium
Maintainer: Debian TeX Task Force <debian-tex-maint@lists.debian.org>
Changed-By: Hilmar Preusse <hille42@web.de>
Closes: 1035461 1036470
Changes:
texlive-bin (2022.20220321.62855-6) unstable; urgency=medium
.
* Stop building *jit* binaries on i386 based arches to make TL installable
on computers not supporting sse2 (Closes: #1035461).
* Add patch for CVE-2023-32668: disable socket in luatex by default
(Closes: #1036470).
Checksums-Sha1:
586cc666e23e415fde16fca17baaaa482863e1e2 3409 texlive-bin_2022.20220321.62855-6.dsc
84f3f5365954f41bfbe136fbee122a5d78d5cbbd 132620 texlive-bin_2022.20220321.62855-6.debian.tar.xz
73b5bc7a04a33bce8a2f7e9c20a29726184c657e 5835 texlive-bin_2022.20220321.62855-6_source.buildinfo
Checksums-Sha256:
092ef08a6d72a17f23500f78c44ca8843e74d74900ad0754989673f823f29eda 3409 texlive-bin_2022.20220321.62855-6.dsc
91e78f1cf822152fa79637b5149339b52a87859b0bc65e0b25e6cbb7a14b99f2 132620 texlive-bin_2022.20220321.62855-6.debian.tar.xz
1f80de9bdada60af9a0d936640a9212d74857b0fe2f6489679c916bbfe26b8e0 5835 texlive-bin_2022.20220321.62855-6_source.buildinfo
Files:
0116b699a387d597f7907ddacc1ef274 3409 tex optional texlive-bin_2022.20220321.62855-6.dsc
f9846b47ab1d9e3556a25579370ac98d 132620 tex optional texlive-bin_2022.20220321.62855-6.debian.tar.xz
53d791b58d9dfea2ce49ddbdee42cdbb 5835 tex optional texlive-bin_2022.20220321.62855-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAmScrddfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5
NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg
LIvybBAApfC3Nhk8Dduo9ujBsDTiM2NyVZPhHiLQSuhqkUEIzLZ+8ywF5Yp3dNmi
5M4a6HomCVc5R7HmhYKDilXzY85J2JqPHFga0Fb++wZWTa3qlFiiAdP5iTQXGA+W
HkubILShhmUgqwS38v8kbvDFb7VNhJ82ZlWVm3Z9JHrgtH40L15ZFBUk9jUoXSEy
UtPypTKoVXRkcqVOH3dZy6X+dE0fuF9vMuihUuCoNt4cFcJPMFsqsF1z2sGAEiEQ
D0HeNqh6+rVNtL+A2cosnd9RquXDfCSUqCTE+gmTxvvypotmYwOlfDml+wkrFgef
mN6oB7r6XU2ySdu2GElQfM5jjihzF3S36x6InlgbD6JVN+P5sTIIj6CUl70ok7YR
GBZJyrNeawVNNwcvM+oVFuoUtOPABFZ/dG6qhHKF3FcClUCWyrhVuF58z3ksy4gs
XJp5xJFgVyRyZ/Xdj0E1nDs3fSxIfOE4/3Tiz1TmoX6jgyUA6DWM9Sb6ggnqBSUa
tbXvq+7s2fnJ2W1ngDZe1NRuBIC7tfGnaMfHlj56I5SoZm63jnfKaWcKMlDVNSCL
jUoSsAz8izzTKKPq1IgZDf6YJ0U7vXBhKM/jImXMXP6Fhz5bVweLc8rjjoxYUIn/
wqkg0BtIHN5BVMkrt5oWG4xOgRB5PTVn+77uWY4O8NsYK51Z/Ks=
=v8Wi
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: