Bug 31952

Summary: texlive new security issue CVE-2023-32700
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: CauldronKeywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: texlive-20220321-6.mga9.src.rpm CVE: CVE-2023-32700
Status comment:

Description David Walser 2023-05-22 14:49:03 CEST 
Debian has issued an advisory on May 20:
https://www.debian.org/security/2023/dsa-5406

Mageia 8 is also affected.
David Walser 2023-05-22 14:49:11 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-05-29 21:37:25 CEST 
Assigning to Marc who is nominally responsible for texlive.

Assignee: bugsquad => mageia

Comment 2 David Walser 2023-06-20 03:06:47 CEST 
RedHat has issued an advisory for this today (June 19):
https://access.redhat.com/errata/RHSA-2023:3661
Comment 3 David Walser 2023-06-20 14:46:35 CEST 
Ubuntu has issued an advisory for this on May 30:
https://ubuntu.com/security/notices/USN-6115-1
Comment 4 Marc Krämer 2023-06-20 14:47:34 CEST 
I'm going to check that. I was busy, sorry.
Comment 5 Marc Krämer 2023-07-02 15:37:11 CEST 
Updated texlive packages fix security vulnerability:
Any document compiled with older versions of LuaTeX can execute arbitrary shell commands, even with shell escape disabled.


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32700
https://www.debian.org/security/2023/dsa-5406
https://tug.org/~mseven/luatex.html

========================

Updated packages in core/updates_testing:
========================
MGA8:
lib64kpathsea6-20200406-9.1.mga8
lib64ptexenc1-debuginfo-20200406-9.1.mga8
lib64kpathsea-devel-20200406-9.1.mga8
lib64texlua-devel-20200406-9.1.mga8
lib64ptexenc1-20200406-9.1.mga8
lib64synctex2-20200406-9.1.mga8
lib64kpathsea6-debuginfo-20200406-9.1.mga8
lib64synctex-devel-20200406-9.1.mga8
lib64ptexenc-devel-20200406-9.1.mga8
lib64texlua5-20200406-9.1.mga8
lib64synctex2-debuginfo-20200406-9.1.mga8
lib64texlua5-debuginfo-20200406-9.1.mga8
texlive-20200406-9.1.mga8
texlive-debugsource-20200406-9.1.mga8
texlive-debuginfo-20200406-9.1.mga8

MGA9:
lib64ptexenc1-debuginfo-20220321-7.mga9
lib64kpathsea6-20220321-7.mga9
lib64texlua-devel-20220321-7.mga9
lib64synctex2-20220321-7.mga9
lib64kpathsea-devel-20220321-7.mga9
lib64ptexenc-devel-20220321-7.mga9
lib64synctex-devel-20220321-7.mga9
lib64kpathsea6-debuginfo-20220321-7.mga9
lib64ptexenc1-20220321-7.mga9
lib64synctex2-debuginfo-20220321-7.mga9
lib64texlua5-20220321-7.mga9
lib64texlua5-debuginfo-20220321-7.mga9
texlive-20220321-7.mga9
texlive-debugsource-20220321-7.mga9
texlive-debuginfo-20220321-7.mga9


SRPM:
texlive-20200406-9.1.mga8.src.rpm
texlive-20220321-7.mga9.src.rpm

CVE: (none) => CVE-2023-32700
Assignee: mageia => qa-bugs

David Walser 2023-07-02 19:06:50 CEST

CC: (none) => mageia

Comment 6 Herman Viaene 2023-07-03 11:20:21 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Following Len's bug 233655 running into similar problems
$ luatex refcard.tex refcard.pdf
This is LuaTeX, Version 1.12.0 (TeX Live 2020/Mageia) 
 restricted system commands enabled.

kpathsea: Running mktexfmt luatex.fmt
mktexfmt: mktexfmt is using the following fmtutil.cnf files (in precedence order):
mktexfmt:   /usr/share/texmf-dist/web2c/fmtutil.cnf
mktexfmt: mktexfmt is using the following fmtutil.cnf file for writing changes:
mktexfmt:   /home/tester8/.texlive2020/texmf-config/web2c/fmtutil.cnf
mktexfmt [INFO]: writing formats under /home/tester8/.texlive2020/texmf-var/web2c
mktexfmt [INFO]: --- remaking luatex with luatex
mktexfmt: running `luatex -ini   -jobname=luatex -progname=luatex luatex.ini' ...
This is LuaTeX, Version 1.12.0 (TeX Live 2020/Mageia)  (INITEX)
 restricted system commands enabled.
(/usr/share/texmf-dist/tex/generic/tex-ini-files/luatex.ini
(/usr/share/texmf-dist/tex/generic/tex-ini-files/luatexconfig.tex
(/usr/share/texmf-dist/tex/generic/config/pdftexconfig.tex))
(/usr/share/texmf-dist/tex/generic/config/luatexiniconfig.tex)
! I can't find file `load-unicode-data.tex'.
l.10 \input load-unicode-data.tex
                               
(Press Enter to retry, or Control-D to exit)
Please type another input file name: 
! Emergency stop.
l.10 \input load-unicode-data.tex
                               
!  ==> Fatal error occurred, no output PDF file produced!
Transcript written on luatex.log.
mktexfmt [INFO]: log file copied to: /home/tester8/.texlive2020/texmf-var/web2c/luatex/luatex.log
mktexfmt [ERROR]: running `luatex -ini   -jobname=luatex -progname=luatex luatex.ini >&2 </dev/null' return status: 1
mktexfmt [ERROR]: returning error due to option --strict
mktexfmt [INFO]: disabled formats: 5
mktexfmt [INFO]: not selected formats: 54
mktexfmt [INFO]: failed to build: 1 (luatex/luatex)
mktexfmt [INFO]: total formats: 60
mktexfmt [INFO]: exiting with status 1
I can't find the format file `luatex.fmt'!

CC: (none) => herman.viaene

Comment 7 Marc Krämer 2023-07-03 12:09:49 CEST 
to compile latex files, you usally need 
texlive-collection-basic
texlive-dist
as well. They are not needed in every case and the dependancies are hard to get. And I don't want everybody to download 1GB, if the only need one of those binary tools included in tex.
Comment 8 Herman Viaene 2023-07-08 14:31:02 CEST 
Installed the M8 packages plus the texlive-dist and its dependency, then
$ luatex refcard.tex refcard.pdf
This is LuaTeX, Version 1.12.0 (TeX Live 2020/Mageia) 
 restricted system commands enabled.
(./refcard.tex [1 column per page] [1{/usr/share/texmf-dist/fonts/map/pdftex/up
dmap/pdftex.map}] [2] [3] [4] [5] [6])</usr/share/texmf-dist/fonts/type1/public
/amsfonts/cm/cmbx10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/c
mmi10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr
/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr7.pfb></usr/share/texmf-dis
t/fonts/type1/public/amsfonts/cm/cmsy7.pfb></usr/share/texmf-dist/fonts/type1/p
ublic/amsfonts/cm/cmti10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts
/cm/cmtt10.pfb>
Output written on refcard.pdf (6 pages, 113049 bytes).
Transcript written on refcard.log.
The resulting pdf looks perfectly OK.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 9 Thomas Andrews 2023-07-13 15:58:53 CEST 
What to do here? I can validate for Mageia 8, but I have no tests for Cauldron. And with Cauldron so close to RC, I'm not sure of the procedure with regard to that, anyway.

CC: (none) => andrewsfarm

Comment 10 Marc Krämer 2023-07-13 16:03:57 CEST 
@Thomas: the patch for mga8/9 are almost identical.
The patch only affects luatex calls. If it really is broken, what I don't expect, since the patch is the same, we loose only a small piece of functionality.
Comment 11 Thomas Andrews 2023-07-13 17:28:40 CEST 
OK, but as long as it has been assigned to QA, we at least should have a clean install/update for Cauldron, anyway. Just in case some underlying dependency has been missed, etc. It's happened before.

I'll see if I can check that in Virtualbox later today. Right now, I have outdoor work to get done before the thunderstorms come this afternoon.
Comment 12 Marc Krämer 2023-07-13 17:30:05 CEST 
Ok, good luck with your outdoor work
Comment 13 Thomas Andrews 2023-07-14 00:34:34 CEST 
Mga9-64 Plasma in VirtualBox. Used qarepo to download all but the debug packages. There were no installation issues.

Giving this a mga9 OK, and validating.Advisory in comment 5.

CC: (none) => sysadmin-bugs
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-07-14 04:12:41 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 14 Mageia Robot 2023-07-19 21:54:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0233.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED