Your message dated Sat, 22 Jul 2023 13:19:41 +0000 with message-id <e1qncwl-005ro2...@coccia.debian.org> and subject line Released with 12.1 has caused the Debian Bug report #1038000, regarding bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1038000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038000 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: texlive-...@packages.debian.org, car...@debian.org Control: affects -1 + src:texlive-bin * Stop building *jit* binaries on i386 based arches to make TL installable on computers not supporting sse2 (Closes: #1035461). * Add patch for CVE-2023-32668: disable socket in luatex by default (Closes: #1036470). [ Reason ] - CVE-2023-32668: luatex can open connections to other devices, w/o notification to the end user. It is very surprising that a TeX engine allows unrestricted network access by default. This isn’t a "vulnerability" per se, but the feature is sufficiently dangerous, unexpected, and rarely used for it to merit a security update. - Not building *jit* binaries: currently users having a CPU without sse2 support are not able to use TL at all, b/c texlive-binaries is not installable. The Dep on sse2-support was introduced in late release cycle of bookworm, it is a regression to bullseye. [ Impact ] - Small security leak in luatex. - Some people can't use TeX Live at all. [ Tests ] The patch for CVE-2023-32668 comes from upstream, was tested there and is part of the luatex 1.17.0 release. I can confirm that the network access is disabled with the patch applied. The patch for not needing sse2 is rather trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable Both fixes will be uploaded to experimental shortly as soon as TL 2023 is packaged. The *jit* change will look a little differently: I'll split the *jit* binaries into a new package, so people having sse2 capable CPU's will still be able to use the jit feature. [ Other info ] The ConteXt mtxrun needs the --socket feature enabled, else the MkIV engine won't work. Hence we need an update of the context package too, which enables that feature by runtime. Therefore a 2nd debdiff is attached. -- sigmentation faultdiff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog --- texlive-bin-2022.20220321.62855/debian/changelog 2023-05-18 23:15:13.000000000 +0200 +++ texlive-bin-2022.20220321.62855/debian/changelog 2023-06-12 23:19:18.000000000 +0200 @@ -1,3 +1,12 @@ +texlive-bin (2022.20220321.62855-5.1+deb12u1) UNRELEASED; urgency=medium + + * Stop building *jit* binaries on i386 based arches to make TL installable + on computers not supporting sse2 (Closes: #1035461). + * Add patch for CVE-2023-32668: disable socket in luatex by default + (Closes: #1036470). + + -- Hilmar Preusse <hill...@web.de> Mon, 12 Jun 2023 23:19:18 +0200 + texlive-bin (2022.20220321.62855-5.1) unstable; urgency=high * Non-maintainer upload. diff -Nru texlive-bin-2022.20220321.62855/debian/control texlive-bin-2022.20220321.62855/debian/control --- texlive-bin-2022.20220321.62855/debian/control 2023-05-18 23:15:13.000000000 +0200 +++ texlive-bin-2022.20220321.62855/debian/control 2023-06-12 23:19:18.000000000 +0200 @@ -50,13 +50,12 @@ libtexlua53-5 (<< ${source:Version}.1~), libtexluajit2 (>= ${source:Version}) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc], libtexluajit2 (<< ${source:Version}.1~) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc], - sse2-support [i386], t1utils, tex-common, perl:any, ${shlibs:Depends}, ${misc:Depends} Recommends: texlive-base, dvisvgm Replaces: ptex-bin, mendexk, jmpost, luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329) Conflicts: mendexk, makejvf, jmpost -Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329) +Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329), context (<= 2021.03.05.20230120+dfsg-1) Provides: texlive-base-bin, makejvf, mendexk, jmpost, luatex Description: Binaries for TeX Live This package contains all the binaries of TeX Live packages. diff -Nru texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch --- texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 1970-01-01 01:00:00.000000000 +0100 +++ texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 2023-06-12 23:19:18.000000000 +0200 @@ -0,0 +1,234 @@ +--- texlive-bin.orig/texk/web2c/luatexdir/lua/loslibext.c ++++ texlive-bin/texk/web2c/luatexdir/lua/loslibext.c +@@ -1046,6 +1046,59 @@ + return ret; + } + ++/* socket.sleep and socket.gettime */ ++/* are duplicated here, and they are */ ++/* always available (the socket library */ ++/* can be nil in some setups) */ ++#ifdef _WIN32 ++static int socket_timeout_lua_sleep(lua_State *L) ++{ ++ double n = luaL_checknumber(L, 1); ++ if (n < 0.0) n = 0.0; ++ if (n < DBL_MAX/1000.0) n *= 1000.0; ++ if (n > INT_MAX) n = INT_MAX; ++ Sleep((int)n); ++ return 0; ++} ++static double socket_timeout_gettime(void) { ++ FILETIME ft; ++ double t; ++ GetSystemTimeAsFileTime(&ft); ++ /* Windows file time (time since January 1, 1601 (UTC)) */ ++ t = ft.dwLowDateTime/1.0e7 + ft.dwHighDateTime*(4294967296.0/1.0e7); ++ /* convert to Unix Epoch time (time since January 1, 1970 (UTC)) */ ++ return (t - 11644473600.0); ++} ++#else ++static int socket_timeout_lua_sleep(lua_State *L) ++{ ++ double n = luaL_checknumber(L, 1); ++ struct timespec t, r; ++ if (n < 0.0) n = 0.0; ++ if (n > INT_MAX) n = INT_MAX; ++ t.tv_sec = (int) n; ++ n -= t.tv_sec; ++ t.tv_nsec = (int) (n * 1000000000); ++ if (t.tv_nsec >= 1000000000) t.tv_nsec = 999999999; ++ while (nanosleep(&t, &r) != 0) { ++ t.tv_sec = r.tv_sec; ++ t.tv_nsec = r.tv_nsec; ++ } ++ return 0; ++} ++static double socket_timeout_gettime(void) { ++ struct timeval v; ++ gettimeofday(&v, (struct timezone *) NULL); ++ /* Unix Epoch time (time since January 1, 1970 (UTC)) */ ++ return v.tv_sec + v.tv_usec/1.0e6; ++} ++#endif ++static int socket_timeout_lua_gettime(lua_State *L) ++{ ++ lua_pushnumber(L, socket_timeout_gettime()); ++ return 1; ++} ++ + + /* + ** ====================================================== +@@ -1185,8 +1238,16 @@ + lua_setfield(L, -2, "execute"); + lua_pushcfunction(L, os_tmpdir); + lua_setfield(L, -2, "tmpdir"); ++ + lua_pushcfunction(L, io_kpse_popen); + lua_setfield(L, -2, "kpsepopen"); + ++ lua_pushcfunction(L, socket_timeout_lua_sleep); ++ lua_setfield(L, -2, "socketsleep"); ++ ++ lua_pushcfunction(L, socket_timeout_lua_gettime); ++ lua_setfield(L, -2, "socketgettime"); ++ ++ + lua_pop(L, 1); /* pop the table */ + } +--- texlive-bin.orig/texk/web2c/luatexdir/lua/luainit.c ++++ texlive-bin/texk/web2c/luatexdir/lua/luainit.c +@@ -85,6 +85,8 @@ + " --lua=FILE load and execute a lua initialization script", + " --[no-]mktex=FMT disable/enable mktexFMT generation (FMT=tex/tfm)", + " --nosocket disable the lua socket library", ++ " --no-socket disable the lua socket library", ++ " --socket enable the lua socket library", + " --output-comment=STRING use STRING for DVI file comment instead of date (no effect for PDF)", + " --output-directory=DIR use existing DIR as the directory to write files in", + " --output-format=FORMAT use FORMAT for job output; FORMAT is 'dvi' or 'pdf'", +@@ -212,9 +214,30 @@ + #endif + + int safer_option = 0; +-int nosocket_option = 0; ++int nosocket_option = 1; ++int nosocket_cli_option = 0; ++int yessocket_cli_option = 0; ++int socket_bitmask = 0; + int utc_option = 0; + ++/*tex We use a bitmask for the socket library: |0000| and |1xxx| implies |--nosocket|, ++ otherwise the socket library is enabled. Default value is |0000|, i.e. |--nosocket|. ++*/ ++#define UPDATE_SOCKET_STATUS() do { \ ++ socket_bitmask = 0; \ ++ socket_bitmask = safer_option==1? (8+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = nosocket_cli_option==1? (4+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = (shellenabledp == 1 && restrictedshell == 0)?(2+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = yessocket_cli_option==1? (1+socket_bitmask):socket_bitmask;\ ++ if( socket_bitmask==0) { \ ++ nosocket_option = 1; \ ++ } else if ( socket_bitmask<4) { \ ++ nosocket_option = 0; \ ++ } else { \ ++ nosocket_option = 1; \ ++ } \ ++} while (0) ++ + /*tex + + Test whether getopt found an option ``A''. Assumes the option index is in the +@@ -242,7 +265,9 @@ + #endif + {"safer", 0, &safer_option, 1}, + {"utc", 0, &utc_option, 1}, +- {"nosocket", 0, &nosocket_option, 1}, ++ {"nosocket", 0, &nosocket_cli_option, 1}, ++ {"no-socket", 0, &nosocket_cli_option, 1}, ++ {"socket", 0, &yessocket_cli_option, 1}, + {"help", 0, 0, 0}, + {"ini", 0, &ini_version, 1}, + {"interaction", 1, 0, 0}, +@@ -524,14 +549,11 @@ + input_name = xstrdup(sargv[sargc-1]); + sargv[sargc-1] = normalize_quotes(input_name, "argument"); + } +- if (safer_option) /* --safer implies --nosocket */ +- nosocket_option = 1; ++ UPDATE_SOCKET_STATUS(); + return; + #endif + } +- /*tex |--safer| implies |--nosocket| */ +- if (safer_option) +- nosocket_option = 1; ++ UPDATE_SOCKET_STATUS(); + /*tex Finalize the input filename. */ + if (input_name != NULL) { + argv[optind] = normalize_quotes(input_name, "argument"); +@@ -980,6 +1002,7 @@ + shellenabledp = true; + restrictedshell = false; + safer_option = 0; ++ nosocket_option = 0; + } + /*tex + Get the current locale (it should be |C|) and save |LC_CTYPE|, |LC_COLLATE| +@@ -1148,6 +1171,7 @@ + } + free(v1); + } ++ UPDATE_SOCKET_STATUS(); + /*tex If shell escapes are restricted, get allowed cmds from cnf. */ + if (shellenabledp && restrictedshell == 1) { + v1 = NULL; +--- texlive-bin.orig/texk/web2c/luatexdir/lua/luastuff.c ++++ texlive-bin/texk/web2c/luatexdir/lua/luastuff.c +@@ -323,7 +323,8 @@ + /*tex + The socket and mime libraries are a bit tricky to open because they use a + load-time dependency that has to be worked around for luatex, where the C +- module is loaded way before the lua module. ++ module is loaded way before the lua module. ++ The mime library is always available, even if the socket library is not enabled. + */ + if (!nosocket_option) { + /* todo: move this to common */ +@@ -348,6 +349,23 @@ + lua_pop(L, 2); + /*tex preload the pure \LUA\ modules */ + luatex_socketlua_open(L); ++ } else { ++ lua_getglobal(L, "package"); ++ lua_getfield(L, -1, "loaded"); ++ if (!lua_istable(L, -1)) { ++ lua_newtable(L); ++ lua_setfield(L, -2, "loaded"); ++ lua_getfield(L, -1, "loaded"); ++ } ++ /*tex |package.loaded.mime = nil| */ ++ luaopen_mime_core(L); ++ lua_setfield(L, -2, "mime.core"); ++ lua_pushnil(L); ++ lua_setfield(L, -2, "mime"); ++ /*tex pop the table */ ++ lua_pop(L, 1); ++ /*tex preload the pure \LUA\ mime module */ ++ luatex_socketlua_safe_open(L); + } + luaopen_zlib(L); + luaopen_gzip(L); +--- texlive-bin.orig/texk/web2c/luatexdir/lua/luatex-api.h ++++ texlive-bin/texk/web2c/luatexdir/lua/luatex-api.h +@@ -123,6 +123,7 @@ + extern int luaopen_socket_core(lua_State * L); + extern int luaopen_mime_core(lua_State * L); + extern void luatex_socketlua_open(lua_State * L); ++extern void luatex_socketlua_safe_open(lua_State * L); + + extern int luaopen_img(lua_State * L); + extern int l_new_image(lua_State * L); +--- texlive-bin.orig/texk/web2c/luatexdir/luasocket/src/lua_preload.c ++++ texlive-bin/texk/web2c/luatexdir/luasocket/src/lua_preload.c +@@ -16,6 +16,7 @@ + + + extern void luatex_socketlua_open (lua_State *) ; ++extern void luatex_socketlua_safe_open (lua_State *) ; + #include "ftp_lua.c" + #include "headers_lua.c" + #include "http_lua.c" +@@ -47,3 +48,11 @@ + TEST(luatex_http_lua_open(L)); + TEST(luatex_ftp_lua_open(L)); + } ++ ++/* luatex_socketlua_safe_open: load safe modules */ ++/* of luasocket ( mime ). */ ++void ++luatex_socketlua_safe_open (lua_State *L) { ++ TEST(luatex_ltn12_lua_open(L)); ++ TEST(luatex_mime_lua_open(L)); ++} diff -Nru texlive-bin-2022.20220321.62855/debian/patches/series texlive-bin-2022.20220321.62855/debian/patches/series --- texlive-bin-2022.20220321.62855/debian/patches/series 2023-05-18 23:15:13.000000000 +0200 +++ texlive-bin-2022.20220321.62855/debian/patches/series 2023-06-12 23:19:18.000000000 +0200 @@ -14,3 +14,4 @@ bad-whatis-entry_xml2pmx.1 wrong-manual-section_axohelp.1 CVE-2023-32700.patch +CVE-2023-32668.patch diff -Nru texlive-bin-2022.20220321.62855/debian/rules texlive-bin-2022.20220321.62855/debian/rules --- texlive-bin-2022.20220321.62855/debian/rules 2023-05-18 23:15:13.000000000 +0200 +++ texlive-bin-2022.20220321.62855/debian/rules 2023-06-12 23:19:18.000000000 +0200 @@ -12,7 +12,7 @@ # all cases. We have now two ways to test for where to build. # One by disabling on the other platforms, one by whitelisting # and building only on some platforms. -LUAJIT_GOOD_ARCHS := amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc +LUAJIT_GOOD_ARCHS := amd64 armel armhf kfreebsd-amd64 powerpc # In case one wants to build with old automake (<< 1.13.1), the following # variable has to be set. By default the debian/control requires highdiff -Nru context-2021.03.05.20230120+dfsg/debian/changelog context-2021.03.05.20230120+dfsg/debian/changelog --- context-2021.03.05.20230120+dfsg/debian/changelog 2023-01-20 23:38:39.000000000 +0100 +++ context-2021.03.05.20230120+dfsg/debian/changelog 2023-06-13 00:36:17.000000000 +0200 @@ -1,3 +1,9 @@ +context (2021.03.05.20230120+dfsg-1+deb12u1) UNRELEASED; urgency=medium + + * Explicitely enable socket in ConTeXt mtxrun (see #1036470). + + -- Hilmar Preusse <hill...@web.de> Tue, 13 Jun 2023 00:36:17 +0200 + context (2021.03.05.20230120+dfsg-1) unstable; urgency=medium * Remove some TeX files not meeting the DFSG from orig.tar.gz diff -Nru context-2021.03.05.20230120+dfsg/debian/patches/enable_socket_in_mtxrun context-2021.03.05.20230120+dfsg/debian/patches/enable_socket_in_mtxrun --- context-2021.03.05.20230120+dfsg/debian/patches/enable_socket_in_mtxrun 1970-01-01 01:00:00.000000000 +0100 +++ context-2021.03.05.20230120+dfsg/debian/patches/enable_socket_in_mtxrun 2023-06-13 00:36:17.000000000 +0200 @@ -0,0 +1,20 @@ +--- context.orig/texmf-dist/scripts/context/stubs/unix/mtxrun ++++ context/texmf-dist/scripts/context/stubs/unix/mtxrun +@@ -25606,7 +25606,7 @@ + end + return concat(flags," ") + end +-local template=[[--ini %primaryflags% --lua=%luafile% %texfile% %secondaryflags% %redirect%]] ++local template=[[--ini %primaryflags% --socket --shell-escape --lua=%luafile% %texfile% %secondaryflags% %redirect%]] + local checkers={ + primaryflags="verbose", + secondaryflags="verbose", +@@ -25741,7 +25741,7 @@ + report_format() + lfs.chdir(startupdir) + end +-local template=[[%primaryflags% --fmt=%fmtfile% --lua=%luafile% %texfile% %secondaryflags%]] ++local template=[[%primaryflags% --socket --shell-escape --fmt=%fmtfile% --lua=%luafile% %texfile% %secondaryflags%]] + local checkers={ + primaryflags="verbose", + secondaryflags="verbose", diff -Nru context-2021.03.05.20230120+dfsg/debian/patches/series context-2021.03.05.20230120+dfsg/debian/patches/series --- context-2021.03.05.20230120+dfsg/debian/patches/series 2022-02-12 15:29:32.000000000 +0100 +++ context-2021.03.05.20230120+dfsg/debian/patches/series 2023-06-13 00:36:17.000000000 +0200 @@ -1,2 +1,3 @@ texfont_fontforge fix_for_manual_pages +enable_socket_in_mtxrunsignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Version: 12.1 The upload requested in this bug has been released as part of 12.1.
--- End Message ---