--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: texlive-...@packages.debian.org, car...@debian.org
Control: affects -1 + src:texlive-bin
* Stop building *jit* binaries on i386 based arches to make TL installable
on computers not supporting sse2 (Closes: #1035461).
* Add patch for CVE-2023-32668: disable socket in luatex by default
(Closes: #1036470).
[ Reason ]
- CVE-2023-32668: luatex can open connections to other devices, w/o
notification to the end user. It is very surprising that a TeX engine
allows unrestricted network access by default. This isn’t a
"vulnerability" per se, but the feature is sufficiently dangerous,
unexpected, and rarely used for it to merit a security update.
- Not building *jit* binaries: currently users having a CPU without sse2
support are not able to use TL at all, b/c texlive-binaries is not
installable. The Dep on sse2-support was introduced in late release
cycle of bookworm, it is a regression to bullseye.
[ Impact ]
- Small security leak in luatex.
- Some people can't use TeX Live at all.
[ Tests ]
The patch for CVE-2023-32668 comes from upstream, was tested there and is
part of the luatex 1.17.0 release. I can confirm that the network access
is disabled with the patch applied.
The patch for not needing sse2 is rather trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
Both fixes will be uploaded to experimental shortly as soon as TL 2023 is
packaged. The *jit* change will look a little differently: I'll split the
*jit* binaries into a new package, so people having sse2 capable CPU's will
still be able to use the jit feature.
[ Other info ]
The ConteXt mtxrun needs the --socket feature enabled, else the MkIV engine
won't work. Hence we need an update of the context package too, which enables
that feature by runtime. Therefore a 2nd debdiff is attached.
--
sigmentation fault
diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog
--- texlive-bin-2022.20220321.62855/debian/changelog 2023-05-18 23:15:13.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/changelog 2023-06-12 23:19:18.000000000 +0200
@@ -1,3 +1,12 @@
+texlive-bin (2022.20220321.62855-5.1+deb12u1) UNRELEASED; urgency=medium
+
+ * Stop building *jit* binaries on i386 based arches to make TL installable
+ on computers not supporting sse2 (Closes: #1035461).
+ * Add patch for CVE-2023-32668: disable socket in luatex by default
+ (Closes: #1036470).
+
+ -- Hilmar Preusse <hill...@web.de> Mon, 12 Jun 2023 23:19:18 +0200
+
texlive-bin (2022.20220321.62855-5.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru texlive-bin-2022.20220321.62855/debian/control texlive-bin-2022.20220321.62855/debian/control
--- texlive-bin-2022.20220321.62855/debian/control 2023-05-18 23:15:13.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/control 2023-06-12 23:19:18.000000000 +0200
@@ -50,13 +50,12 @@
libtexlua53-5 (<< ${source:Version}.1~),
libtexluajit2 (>= ${source:Version}) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc],
libtexluajit2 (<< ${source:Version}.1~) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc],
- sse2-support [i386],
t1utils, tex-common, perl:any,
${shlibs:Depends}, ${misc:Depends}
Recommends: texlive-base, dvisvgm
Replaces: ptex-bin, mendexk, jmpost, luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329)
Conflicts: mendexk, makejvf, jmpost
-Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329)
+Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329), context (<= 2021.03.05.20230120+dfsg-1)
Provides: texlive-base-bin, makejvf, mendexk, jmpost, luatex
Description: Binaries for TeX Live
This package contains all the binaries of TeX Live packages.
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch
--- texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 1970-01-01 01:00:00.000000000 +0100
+++ texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 2023-06-12 23:19:18.000000000 +0200
@@ -0,0 +1,234 @@
+--- texlive-bin.orig/texk/web2c/luatexdir/lua/loslibext.c
++++ texlive-bin/texk/web2c/luatexdir/lua/loslibext.c
+@@ -1046,6 +1046,59 @@
+ return ret;
+ }
+
++/* socket.sleep and socket.gettime */
++/* are duplicated here, and they are */
++/* always available (the socket library */
++/* can be nil in some setups) */
++#ifdef _WIN32
++static int socket_timeout_lua_sleep(lua_State *L)
++{
++ double n = luaL_checknumber(L, 1);
++ if (n < 0.0) n = 0.0;
++ if (n < DBL_MAX/1000.0) n *= 1000.0;
++ if (n > INT_MAX) n = INT_MAX;
++ Sleep((int)n);
++ return 0;
++}
++static double socket_timeout_gettime(void) {
++ FILETIME ft;
++ double t;
++ GetSystemTimeAsFileTime(&ft);
++ /* Windows file time (time since January 1, 1601 (UTC)) */
++ t = ft.dwLowDateTime/1.0e7 + ft.dwHighDateTime*(4294967296.0/1.0e7);
++ /* convert to Unix Epoch time (time since January 1, 1970 (UTC)) */
++ return (t - 11644473600.0);
++}
++#else
++static int socket_timeout_lua_sleep(lua_State *L)
++{
++ double n = luaL_checknumber(L, 1);
++ struct timespec t, r;
++ if (n < 0.0) n = 0.0;
++ if (n > INT_MAX) n = INT_MAX;
++ t.tv_sec = (int) n;
++ n -= t.tv_sec;
++ t.tv_nsec = (int) (n * 1000000000);
++ if (t.tv_nsec >= 1000000000) t.tv_nsec = 999999999;
++ while (nanosleep(&t, &r) != 0) {
++ t.tv_sec = r.tv_sec;
++ t.tv_nsec = r.tv_nsec;
++ }
++ return 0;
++}
++static double socket_timeout_gettime(void) {
++ struct timeval v;
++ gettimeofday(&v, (struct timezone *) NULL);
++ /* Unix Epoch time (time since January 1, 1970 (UTC)) */
++ return v.tv_sec + v.tv_usec/1.0e6;
++}
++#endif
++static int socket_timeout_lua_gettime(lua_State *L)
++{
++ lua_pushnumber(L, socket_timeout_gettime());
++ return 1;
++}
++
+
+ /*
+ ** ======================================================
+@@ -1185,8 +1238,16 @@
+ lua_setfield(L, -2, "execute");
+ lua_pushcfunction(L, os_tmpdir);
+ lua_setfield(L, -2, "tmpdir");
++
+ lua_pushcfunction(L, io_kpse_popen);
+ lua_setfield(L, -2, "kpsepopen");
+
++ lua_pushcfunction(L, socket_timeout_lua_sleep);
++ lua_setfield(L, -2, "socketsleep");
++
++ lua_pushcfunction(L, socket_timeout_lua_gettime);
++ lua_setfield(L, -2, "socketgettime");
++
++
+ lua_pop(L, 1); /* pop the table */
+ }
+--- texlive-bin.orig/texk/web2c/luatexdir/lua/luainit.c
++++ texlive-bin/texk/web2c/luatexdir/lua/luainit.c
+@@ -85,6 +85,8 @@
+ " --lua=FILE load and execute a lua initialization script",
+ " --[no-]mktex=FMT disable/enable mktexFMT generation (FMT=tex/tfm)",
+ " --nosocket disable the lua socket library",
++ " --no-socket disable the lua socket library",
++ " --socket enable the lua socket library",
+ " --output-comment=STRING use STRING for DVI file comment instead of date (no effect for PDF)",
+ " --output-directory=DIR use existing DIR as the directory to write files in",
+ " --output-format=FORMAT use FORMAT for job output; FORMAT is 'dvi' or 'pdf'",
+@@ -212,9 +214,30 @@
+ #endif
+
+ int safer_option = 0;
+-int nosocket_option = 0;
++int nosocket_option = 1;
++int nosocket_cli_option = 0;
++int yessocket_cli_option = 0;
++int socket_bitmask = 0;
+ int utc_option = 0;
+
++/*tex We use a bitmask for the socket library: |0000| and |1xxx| implies |--nosocket|,
++ otherwise the socket library is enabled. Default value is |0000|, i.e. |--nosocket|.
++*/
++#define UPDATE_SOCKET_STATUS() do { \
++ socket_bitmask = 0; \
++ socket_bitmask = safer_option==1? (8+socket_bitmask):socket_bitmask;\
++ socket_bitmask = nosocket_cli_option==1? (4+socket_bitmask):socket_bitmask;\
++ socket_bitmask = (shellenabledp == 1 && restrictedshell == 0)?(2+socket_bitmask):socket_bitmask;\
++ socket_bitmask = yessocket_cli_option==1? (1+socket_bitmask):socket_bitmask;\
++ if( socket_bitmask==0) { \
++ nosocket_option = 1; \
++ } else if ( socket_bitmask<4) { \
++ nosocket_option = 0; \
++ } else { \
++ nosocket_option = 1; \
++ } \
++} while (0)
++
+ /*tex
+
+ Test whether getopt found an option ``A''. Assumes the option index is in the
+@@ -242,7 +265,9 @@
+ #endif
+ {"safer", 0, &safer_option, 1},
+ {"utc", 0, &utc_option, 1},
+- {"nosocket", 0, &nosocket_option, 1},
++ {"nosocket", 0, &nosocket_cli_option, 1},
++ {"no-socket", 0, &nosocket_cli_option, 1},
++ {"socket", 0, &yessocket_cli_option, 1},
+ {"help", 0, 0, 0},
+ {"ini", 0, &ini_version, 1},
+ {"interaction", 1, 0, 0},
+@@ -524,14 +549,11 @@
+ input_name = xstrdup(sargv[sargc-1]);
+ sargv[sargc-1] = normalize_quotes(input_name, "argument");
+ }
+- if (safer_option) /* --safer implies --nosocket */
+- nosocket_option = 1;
++ UPDATE_SOCKET_STATUS();
+ return;
+ #endif
+ }
+- /*tex |--safer| implies |--nosocket| */
+- if (safer_option)
+- nosocket_option = 1;
++ UPDATE_SOCKET_STATUS();
+ /*tex Finalize the input filename. */
+ if (input_name != NULL) {
+ argv[optind] = normalize_quotes(input_name, "argument");
+@@ -980,6 +1002,7 @@
+ shellenabledp = true;
+ restrictedshell = false;
+ safer_option = 0;
++ nosocket_option = 0;
+ }
+ /*tex
+ Get the current locale (it should be |C|) and save |LC_CTYPE|, |LC_COLLATE|
+@@ -1148,6 +1171,7 @@
+ }
+ free(v1);
+ }
++ UPDATE_SOCKET_STATUS();
+ /*tex If shell escapes are restricted, get allowed cmds from cnf. */
+ if (shellenabledp && restrictedshell == 1) {
+ v1 = NULL;
+--- texlive-bin.orig/texk/web2c/luatexdir/lua/luastuff.c
++++ texlive-bin/texk/web2c/luatexdir/lua/luastuff.c
+@@ -323,7 +323,8 @@
+ /*tex
+ The socket and mime libraries are a bit tricky to open because they use a
+ load-time dependency that has to be worked around for luatex, where the C
+- module is loaded way before the lua module.
++ module is loaded way before the lua module.
++ The mime library is always available, even if the socket library is not enabled.
+ */
+ if (!nosocket_option) {
+ /* todo: move this to common */
+@@ -348,6 +349,23 @@
+ lua_pop(L, 2);
+ /*tex preload the pure \LUA\ modules */
+ luatex_socketlua_open(L);
++ } else {
++ lua_getglobal(L, "package");
++ lua_getfield(L, -1, "loaded");
++ if (!lua_istable(L, -1)) {
++ lua_newtable(L);
++ lua_setfield(L, -2, "loaded");
++ lua_getfield(L, -1, "loaded");
++ }
++ /*tex |package.loaded.mime = nil| */
++ luaopen_mime_core(L);
++ lua_setfield(L, -2, "mime.core");
++ lua_pushnil(L);
++ lua_setfield(L, -2, "mime");
++ /*tex pop the table */
++ lua_pop(L, 1);
++ /*tex preload the pure \LUA\ mime module */
++ luatex_socketlua_safe_open(L);
+ }
+ luaopen_zlib(L);
+ luaopen_gzip(L);
+--- texlive-bin.orig/texk/web2c/luatexdir/lua/luatex-api.h
++++ texlive-bin/texk/web2c/luatexdir/lua/luatex-api.h
+@@ -123,6 +123,7 @@
+ extern int luaopen_socket_core(lua_State * L);
+ extern int luaopen_mime_core(lua_State * L);
+ extern void luatex_socketlua_open(lua_State * L);
++extern void luatex_socketlua_safe_open(lua_State * L);
+
+ extern int luaopen_img(lua_State * L);
+ extern int l_new_image(lua_State * L);
+--- texlive-bin.orig/texk/web2c/luatexdir/luasocket/src/lua_preload.c
++++ texlive-bin/texk/web2c/luatexdir/luasocket/src/lua_preload.c
+@@ -16,6 +16,7 @@
+
+
+ extern void luatex_socketlua_open (lua_State *) ;
++extern void luatex_socketlua_safe_open (lua_State *) ;
+ #include "ftp_lua.c"
+ #include "headers_lua.c"
+ #include "http_lua.c"
+@@ -47,3 +48,11 @@
+ TEST(luatex_http_lua_open(L));
+ TEST(luatex_ftp_lua_open(L));
+ }
++
++/* luatex_socketlua_safe_open: load safe modules */
++/* of luasocket ( mime ). */
++void
++luatex_socketlua_safe_open (lua_State *L) {
++ TEST(luatex_ltn12_lua_open(L));
++ TEST(luatex_mime_lua_open(L));
++}
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/series texlive-bin-2022.20220321.62855/debian/patches/series
--- texlive-bin-2022.20220321.62855/debian/patches/series 2023-05-18 23:15:13.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/patches/series 2023-06-12 23:19:18.000000000 +0200
@@ -14,3 +14,4 @@
bad-whatis-entry_xml2pmx.1
wrong-manual-section_axohelp.1
CVE-2023-32700.patch
+CVE-2023-32668.patch
diff -Nru texlive-bin-2022.20220321.62855/debian/rules texlive-bin-2022.20220321.62855/debian/rules
--- texlive-bin-2022.20220321.62855/debian/rules 2023-05-18 23:15:13.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/rules 2023-06-12 23:19:18.000000000 +0200
@@ -12,7 +12,7 @@
# all cases. We have now two ways to test for where to build.
# One by disabling on the other platforms, one by whitelisting
# and building only on some platforms.
-LUAJIT_GOOD_ARCHS := amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc
+LUAJIT_GOOD_ARCHS := amd64 armel armhf kfreebsd-amd64 powerpc
# In case one wants to build with old automake (<< 1.13.1), the following
# variable has to be set. By default the debian/control requires high
diff -Nru context-2021.03.05.20230120+dfsg/debian/changelog context-2021.03.05.20230120+dfsg/debian/changelog
--- context-2021.03.05.20230120+dfsg/debian/changelog 2023-01-20 23:38:39.000000000 +0100
+++ context-2021.03.05.20230120+dfsg/debian/changelog 2023-06-13 00:36:17.000000000 +0200
@@ -1,3 +1,9 @@
+context (2021.03.05.20230120+dfsg-1+deb12u1) UNRELEASED; urgency=medium
+
+ * Explicitely enable socket in ConTeXt mtxrun (see #1036470).
+
+ -- Hilmar Preusse <hill...@web.de> Tue, 13 Jun 2023 00:36:17 +0200
+
context (2021.03.05.20230120+dfsg-1) unstable; urgency=medium
* Remove some TeX files not meeting the DFSG from orig.tar.gz
diff -Nru context-2021.03.05.20230120+dfsg/debian/patches/enable_socket_in_mtxrun context-2021.03.05.20230120+dfsg/debian/patches/enable_socket_in_mtxrun
--- context-2021.03.05.20230120+dfsg/debian/patches/enable_socket_in_mtxrun 1970-01-01 01:00:00.000000000 +0100
+++ context-2021.03.05.20230120+dfsg/debian/patches/enable_socket_in_mtxrun 2023-06-13 00:36:17.000000000 +0200
@@ -0,0 +1,20 @@
+--- context.orig/texmf-dist/scripts/context/stubs/unix/mtxrun
++++ context/texmf-dist/scripts/context/stubs/unix/mtxrun
+@@ -25606,7 +25606,7 @@
+ end
+ return concat(flags," ")
+ end
+-local template=[[--ini %primaryflags% --lua=%luafile% %texfile% %secondaryflags% %redirect%]]
++local template=[[--ini %primaryflags% --socket --shell-escape --lua=%luafile% %texfile% %secondaryflags% %redirect%]]
+ local checkers={
+ primaryflags="verbose",
+ secondaryflags="verbose",
+@@ -25741,7 +25741,7 @@
+ report_format()
+ lfs.chdir(startupdir)
+ end
+-local template=[[%primaryflags% --fmt=%fmtfile% --lua=%luafile% %texfile% %secondaryflags%]]
++local template=[[%primaryflags% --socket --shell-escape --fmt=%fmtfile% --lua=%luafile% %texfile% %secondaryflags%]]
+ local checkers={
+ primaryflags="verbose",
+ secondaryflags="verbose",
diff -Nru context-2021.03.05.20230120+dfsg/debian/patches/series context-2021.03.05.20230120+dfsg/debian/patches/series
--- context-2021.03.05.20230120+dfsg/debian/patches/series 2022-02-12 15:29:32.000000000 +0100
+++ context-2021.03.05.20230120+dfsg/debian/patches/series 2023-06-13 00:36:17.000000000 +0200
@@ -1,2 +1,3 @@
texfont_fontforge
fix_for_manual_pages
+enable_socket_in_mtxrun
signature.asc
Description: PGP signature
--- End Message ---
