Bug#1036470: marked as done (texlive-bin: CVE-2023-32668)
Your message dated Fri, 30 Jun 2023 23:17:09 +0000
with message-id <E1qFNMT-0003dH-FC@fasolo.debian.org>
and subject line Bug#1036470: fixed in texlive-bin 2022.20220321.62855-5.1+deb12u1
has caused the Debian Bug report #1036470,
regarding texlive-bin: CVE-2023-32668
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1036470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036470
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: texlive-bin: CVE-2023-32668
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 21 May 2023 21:06:55 +0200
- Message-id: <168469601544.1390258.4575369345500317012.reportbug@eldamar.lan>
Source: texlive-bin
Version: 2022.20220321.62855-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for texlive-bin.
CVE-2023-32668[0]:
| LuaTeX before 1.17.0 allows a document (compiled with the default
| settings) to make arbitrary network requests. This occurs because full
| access to the socket library is permitted by default, as stated in the
| documentation. This also affects TeX Live before 2023 r66984 and
| MiKTeX before 23.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-32668
https://www.cve.org/CVERecord?id=CVE-2023-32668
[1] https://tug.org/pipermail/tex-live/2023-May/049188.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: texlive-bin
Source-Version: 2022.20220321.62855-5.1+deb12u1
Done: Hilmar Preusse <hille42@web.de>
We believe that the bug you reported is fixed in the latest version of
texlive-bin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1036470@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilmar Preusse <hille42@web.de> (supplier of updated texlive-bin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Jun 2023 22:07:12 +0200
Source: texlive-bin
Architecture: source
Version: 2022.20220321.62855-5.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian TeX Task Force <debian-tex-maint@lists.debian.org>
Changed-By: Hilmar Preusse <hille42@web.de>
Closes: 1035461 1036470
Changes:
texlive-bin (2022.20220321.62855-5.1+deb12u1) bookworm; urgency=medium
.
* Stop building *jit* binaries on i386 based arches to make TL installable
on computers not supporting sse2 (Closes: #1035461).
* Add patch for CVE-2023-32668: disable socket in luatex by default
(Closes: #1036470).
Checksums-Sha1:
a1965ca514b42a44de2a27b1d3cd244cb76bc476 3391 texlive-bin_2022.20220321.62855-5.1+deb12u1.dsc
49f150f9f5c5c9c59b6752d21aeadc83ad0799ff 132668 texlive-bin_2022.20220321.62855-5.1+deb12u1.debian.tar.xz
ffd507432d0354065a380d1f73c8292a4af20b7e 5875 texlive-bin_2022.20220321.62855-5.1+deb12u1_source.buildinfo
Checksums-Sha256:
ce2f6b23a39d4a7591d82de92faa414d950f4cba815d131f6f9ccbb0ed1ff334 3391 texlive-bin_2022.20220321.62855-5.1+deb12u1.dsc
9391c1420ae1d617715fc673d7235517cd467feda51a34aa3d13b7e6d9a989b0 132668 texlive-bin_2022.20220321.62855-5.1+deb12u1.debian.tar.xz
3c65b67d68dc355197d5e7dbc2bbc09ed6f6bef82e9dc10fb4f343232d216f3a 5875 texlive-bin_2022.20220321.62855-5.1+deb12u1_source.buildinfo
Files:
83345bdd91b754cffa0d770ab99a7a7b 3391 tex optional texlive-bin_2022.20220321.62855-5.1+deb12u1.dsc
7513366197193c92595952e27c7766ae 132668 tex optional texlive-bin_2022.20220321.62855-5.1+deb12u1.debian.tar.xz
95d29e564a166fa699d7341819de55ed 5875 tex optional texlive-bin_2022.20220321.62855-5.1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAmSe+i1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5
NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg
LIsVhxAAlezEXv5JFGc4jv8LYvrCutPtHc/UYB03prNnokaSW8H904yNd1bK8TOl
bpC9h49zrvDATaMf9kO9/ZTyK+TiG6XVe0xkrS9oJIJHCDZIzFwHkJHWjJ0AIckn
zflgKaU02aWNtcOZKvEjycEyN7mIqKBd0CVr+GFpQ5hNUaZ9uA/viIVqIYfHQ7WD
wikrlr9r1sq2X4Vu6Xdn1iKKfOlHmG+pzIImbPFj9E2uow2go39Fj+DGV547bXNz
n2AdFPxE7kieTv6W99c/SWYMYWRYw8DW+ez4nHcX3k62lB+EwPc9diwJnD9ITxzZ
78RUGdEmgZCmftkmeEWKWezgD1J7yilHuX2SjR0zKXsh5OVTShz4WsoJZmUwfYtn
FI2hy3wJc6YVslLPiuIyP84lMfjU2bZcpniby7xcOBev47g12rILNUZxTlvpd4f0
jz+1BLdFTNjU+xZs56ZqYhGS0KGTAVXb8SANFQdHSJDmfpjUZu+GbIwCIOQquDfa
4bH6q2Up3zWeoDqN4SfHnZ/Fnep/covgoZPHcFFazOYvP7e6feY8/3ls+eXvwnm2
y1YP2/tYTz8M7P4MvVpJ667GJS23D8QmBFsv56ORRI2fVRB+waIqZ4v8DykiPrcN
MZU8X3gwl4PE5Pqrk6Fmpq3naD8mSVEZ1oqJCkV8lkHo5aiB1AI=
=UMmC
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: