Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: texlive-...@packages.debian.org, car...@debian.org
Control: affects -1 + src:texlive-bin
* Stop building *jit* binaries on i386 based arches to make TL installable
on computers not supporting sse2 (Closes: #1035461).
* Add patch for CVE-2023-32668: disable socket in luatex by default
(Closes: #1036470).
[ Reason ]
- CVE-2023-32668: luatex can open connections to other devices, w/o
notification to the end user. It is very surprising that a TeX engine
allows unrestricted network access by default. This isn’t a
"vulnerability" per se, but the feature is sufficiently dangerous,
unexpected, and rarely used for it to merit a security update.
- Not building *jit* binaries: currently users having a CPU without sse2
support are not able to use TL at all, b/c texlive-binaries is not
installable. The Dep on sse2-support was introduced in late release
cycle of bookworm, it is a regression to bullseye.
[ Impact ]
- Small security leak in luatex.
- Some people can't use TeX Live at all.
[ Tests ]
The patch for CVE-2023-32668 comes from upstream, was tested there and is
part of the luatex 1.17.0 release. I can confirm that the network access
is disabled with the patch applied.
The patch for not needing sse2 is rather trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
Both fixes will be uploaded to experimental shortly as soon as TL 2023 is
packaged. The *jit* change will look a little differently: I'll split the
*jit* binaries into a new package, so people having sse2 capable CPU's will
still be able to use the jit feature.
[ Other info ]
The ConteXt mtxrun needs the --socket feature enabled, else the MkIV engine
won't work. Hence we need an update of the context package too, which enables
that feature by runtime. Therefore a 2nd debdiff is attached.
--
sigmentation fault
diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog
--- texlive-bin-2022.20220321.62855/debian/changelog 2023-05-18 23:15:13.0 +0200
+++ texlive-bin-2022.20220321.62855/debian/changelog 2023-06-12 23:19:18.0 +0200
@@ -1,3 +1,12 @@
+texlive-bin (2022.20220321.62855-5.1+deb12u1) UNRELEASED; urgency=medium
+
+ * Stop building *jit* binaries on i386 based arches to make TL installable
+on computers not supporting sse2 (Closes: #1035461).
+ * Add patch for CVE-2023-32668: disable socket in luatex by default
+(Closes: #1036470).
+
+ -- Hilmar Preusse Mon, 12 Jun 2023 23:19:18 +0200
+
texlive-bin (2022.20220321.62855-5.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru texlive-bin-2022.20220321.62855/debian/control texlive-bin-2022.20220321.62855/debian/control
--- texlive-bin-2022.20220321.62855/debian/control 2023-05-18 23:15:13.0 +0200
+++ texlive-bin-2022.20220321.62855/debian/control 2023-06-12 23:19:18.0 +0200
@@ -50,13 +50,12 @@
libtexlua53-5 (<< ${source:Version}.1~),
libtexluajit2 (>= ${source:Version}) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc],
libtexluajit2 (<< ${source:Version}.1~) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc],
- sse2-support [i386],
t1utils, tex-common, perl:any,
${shlibs:Depends}, ${misc:Depends}
Recommends: texlive-base, dvisvgm
Replaces: ptex-bin, mendexk, jmpost, luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329)
Conflicts: mendexk, makejvf, jmpost
-Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329)
+Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329), context (<= 2021.03.05.20230120+dfsg-1)
Provides: texlive-base-bin, makejvf, mendexk, jmpost, luatex
Description: Binaries for TeX Live
This package contains all the binaries of TeX Live packages.
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch
--- texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 1970-01-01 01:00:00.0 +0100
+++ texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 2023-06-12 23:19:18.0 +0200
@@ -0,0 +1,234 @@
+--- texlive-bin.orig/texk/web2c/luatexdir/lua/loslibext.c
texlive-bin/texk/web2c/luatexdir/lua/loslibext.c
+@@ -1046,6 +1046,59 @@
+ return ret;
+ }
+
++/* socket.sleep and socket.gettime */
++/* are duplicated here, and they are*/
++/* always available (the socket library */
++/* can be nil in some setups) */