Bug#1036470: texlive-bin: CVE-2023-32668

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 1036470@bugs.debian.org
Subject: Bug#1036470: texlive-bin: CVE-2023-32668
From: Preuße@buxtehude.debian.org, Hilmar <hille42@web.de>
Date: Sun, 21 May 2023 21:54:30 +0200
Message-id: <[🔎] 3993f975-0296-63b4-0156-2e9d34142e87@web.de>
Reply-to: Preuße@buxtehude.debian.org, Hilmar <hille42@web.de>, 1036470@bugs.debian.org
In-reply-to: <[🔎] 168469601544.1390258.4575369345500317012.reportbug@eldamar.lan>
References: <[🔎] 168469601544.1390258.4575369345500317012.reportbug@eldamar.lan> <[🔎] 168469601544.1390258.4575369345500317012.reportbug@eldamar.lan>

On 21.05.2023 21:06, Salvatore Bonaccorso wrote:

Hello Salvatore,

The following vulnerability was published for texlive-bin.

CVE-2023-32668[0]:
| LuaTeX before 1.17.0 allows a document (compiled with the default
| settings) to make arbitrary network requests. This occurs because full
| access to the socket library is permitted by default, as stated in the
| documentation. This also affects TeX Live before 2023 r66984 and
| MiKTeX before 23.5.

I updated to luatex 1.17.0 already in the TeX Live binaries for TL 2023in commit 5348a805847c038d92c80a9b208da48dc527decd, the needed adaptionsfor Context were made, but all that needs to be tested.


Is that sufficient or do we need to fix all this in bookworm / bullseye too?

Hilmar
--
sigfault

Attachment: OpenPGP_0x0C871C4C653C1F59.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#1036470: texlive-bin: CVE-2023-32668
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#1036470: texlive-bin: CVE-2023-32668
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1036470: texlive-bin: CVE-2023-32668
Next by Date: Bug#1036470: texlive-bin: CVE-2023-32668
Previous by thread: Bug#1036470: texlive-bin: CVE-2023-32668
Next by thread: Bug#1036470: texlive-bin: CVE-2023-32668
Index(es):
- Date
- Thread