subject:"Bug#1038000\: bookworm\-pu\: package texlive\-bin\/2022.20220321.62855\-5.1\+deb12u1"

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

2023-06-30 Thread Preuße


On 30.06.2023 13:56, Jonathan Wiltshire wrote:

Hi Jonathan,


You also need to target bookwork, not bookworm-proposed-updates, so I'll
reject the uploads and you can re-use the same version number.

Done. The packages are in the "Resolution Pending" queue. Hope I did 
everything right this time.


Hilmar
--
sigfault



OpenPGP_0x0C871C4C653C1F59.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

2023-06-30 Thread Jonathan Wiltshire

On Fri, Jun 30, 2023 at 09:56:03AM +0200, =?UTF-8?Q?Preu=C3=9Fe wrote:
> On 30.06.2023 00:11, Hilmar Preuße wrote:
> > On 6/28/23 09:01, Jonathan Wiltshire wrote:
> 
> Hi Jonathan,
> 
> > > When do you expect the bugs to be closed in unstable?
> > > 
> > I've pushed the new texlive-bin and the context package to unstable. >
> The build fails on: i386. I guess I know the root cause and prepare a new
> package. Sorry for the noise!
> 
> 5.1+deb12u1 needs to be updated too.

You also need to target bookwork, not bookworm-proposed-updates, so I'll
reject the uploads and you can re-use the same version number.

Thanks,



-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

2023-06-30 Thread Preuße


On 30.06.2023 00:11, Hilmar Preuße wrote:

On 6/28/23 09:01, Jonathan Wiltshire wrote:


Hi Jonathan,


When do you expect the bugs to be closed in unstable?


I've pushed the new texlive-bin and the context package to unstable. >
The build fails on: i386. I guess I know the root cause and prepare a 
new package. Sorry for the noise!


5.1+deb12u1 needs to be updated too.

Hilmar
--
sigfault



OpenPGP_0x0C871C4C653C1F59.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

2023-06-29 Thread Hilmar Preuße


On 6/28/23 09:01, Jonathan Wiltshire wrote:

Hi Jonathan,


When do you expect the bugs to be closed in unstable?


I've pushed the new texlive-bin and the context package to unstable.

Hilmar
--
Testmail

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

2023-06-27 Thread Preuße


On 26.06.2023 07:56, Jonathan Wiltshire wrote:

Control: tag -1 confirmed


Hello,


On Thu, Jun 15, 2023 at 12:09:55PM +0200, Hilmar Preusse wrote:

* Stop building *jit* binaries on i386 based arches to make TL installable
   on computers not supporting sse2 (Closes: #1035461).
* Add patch for CVE-2023-32668: disable socket in luatex by default
   (Closes: #1036470).


Please go ahead.



Done.

Hilmar
--
sigfault



OpenPGP_0x0C871C4C653C1F59.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

2023-06-26 Thread Jonathan Wiltshire

Control: tag -1 confirmed

On Thu, Jun 15, 2023 at 12:09:55PM +0200, Hilmar Preusse wrote:
> * Stop building *jit* binaries on i386 based arches to make TL installable
>   on computers not supporting sse2 (Closes: #1035461).
> * Add patch for CVE-2023-32668: disable socket in luatex by default
>   (Closes: #1036470).

Please go ahead.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1



signature.asc
Description: PGP signature

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

2023-06-15 Thread Hilmar Preusse

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: texlive-...@packages.debian.org, car...@debian.org
Control: affects -1 + src:texlive-bin

* Stop building *jit* binaries on i386 based arches to make TL installable
  on computers not supporting sse2 (Closes: #1035461).
* Add patch for CVE-2023-32668: disable socket in luatex by default
  (Closes: #1036470).

[ Reason ]
- CVE-2023-32668: luatex can open connections to other devices, w/o
  notification to the end user. It is very surprising that a TeX engine
  allows unrestricted network access by default. This isn’t a
  "vulnerability" per se, but the feature is sufficiently dangerous,
  unexpected, and rarely used for it to merit a security update.
- Not building *jit* binaries: currently users having a CPU without sse2
  support are not able to use TL at all, b/c texlive-binaries is not
  installable. The Dep on sse2-support was introduced in late release
  cycle of bookworm, it is a regression to bullseye.

[ Impact ]
- Small security leak in luatex.
- Some people can't use TeX Live at all.

[ Tests ]
The patch for CVE-2023-32668 comes from upstream, was tested there and is
part of the luatex 1.17.0 release. I can confirm that the network access
is disabled with the patch applied.
The patch for not needing sse2 is rather trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

Both fixes will be uploaded to experimental shortly as soon as TL 2023 is
packaged. The *jit* change will look a little differently: I'll split the
*jit* binaries into a new package, so people having sse2 capable CPU's will
still be able to use the jit feature.

[ Other info ]
The ConteXt mtxrun needs the --socket feature enabled, else the MkIV engine
won't work. Hence we need an update of the context package too, which enables
that feature by runtime. Therefore a 2nd debdiff is attached.

-- 
sigmentation fault
diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog
--- texlive-bin-2022.20220321.62855/debian/changelog	2023-05-18 23:15:13.0 +0200
+++ texlive-bin-2022.20220321.62855/debian/changelog	2023-06-12 23:19:18.0 +0200
@@ -1,3 +1,12 @@
+texlive-bin (2022.20220321.62855-5.1+deb12u1) UNRELEASED; urgency=medium
+
+  * Stop building *jit* binaries on i386 based arches to make TL installable
+on computers not supporting sse2 (Closes: #1035461).
+  * Add patch for CVE-2023-32668: disable socket in luatex by default
+(Closes: #1036470).
+
+ -- Hilmar Preusse   Mon, 12 Jun 2023 23:19:18 +0200
+
 texlive-bin (2022.20220321.62855-5.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru texlive-bin-2022.20220321.62855/debian/control texlive-bin-2022.20220321.62855/debian/control
--- texlive-bin-2022.20220321.62855/debian/control	2023-05-18 23:15:13.0 +0200
+++ texlive-bin-2022.20220321.62855/debian/control	2023-06-12 23:19:18.0 +0200
@@ -50,13 +50,12 @@
   libtexlua53-5 (<< ${source:Version}.1~),
   libtexluajit2 (>= ${source:Version}) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc],
   libtexluajit2 (<< ${source:Version}.1~) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc],
-  sse2-support [i386],
   t1utils, tex-common, perl:any,
   ${shlibs:Depends}, ${misc:Depends}
 Recommends: texlive-base, dvisvgm
 Replaces: ptex-bin, mendexk, jmpost, luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329)
 Conflicts: mendexk, makejvf, jmpost
-Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329)
+Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329), context (<= 2021.03.05.20230120+dfsg-1)
 Provides: texlive-base-bin, makejvf, mendexk, jmpost, luatex
 Description: Binaries for TeX Live
  This package contains all the binaries of TeX Live packages.
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch
--- texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch	1970-01-01 01:00:00.0 +0100
+++ texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch	2023-06-12 23:19:18.0 +0200
@@ -0,0 +1,234 @@
+--- texlive-bin.orig/texk/web2c/luatexdir/lua/loslibext.c
 texlive-bin/texk/web2c/luatexdir/lua/loslibext.c
+@@ -1046,6 +1046,59 @@
+ return ret;
+ }
+ 
++/* socket.sleep and socket.gettime  */
++/* are duplicated here, and they are*/
++/* always available (the socket library */
++/* can  be nil in some setups)  */

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1

7 matches

Site Navigation

Mail list logo

Footer information