better use this source
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-17407

They have a link to the patch, I could not find on debian tracker....


https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c

Suggested advisory:
========================

Updated texlive packages fix security vulnerabilities:
A buffer overflow in the handling of Type 1 fonts allowed arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex.


References:
========================
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17407
https://www.openwall.com/lists/oss-security/2018/10/08/3

Updated packages in core/updates_testing:
========================
texlive-20160523-7.1.mga6
libkpathsea6-20160523-7.1.mga6
libkpathsea-devel-20160523-7.1.mga6
libkpathsea-static-devel-20160523-7.1.mga6
libtexlua5-20160523-7.1.mga6
libtexlua-devel-20160523-7.1.mga6
libtexlua-static-devel-20160523-7.1.mga6
libsynctex1-20160523-7.1.mga6
libsynctex-devel-20160523-7.1.mga6
libsynctex-static-devel-20160523-7.1.mga6
libptexenc1-20160523-7.1.mga6
libptexenc-devel-20160523-7.1.mga6
libptexenc-static-devel-20160523-7.1.mga6
texlive-debuginfo-20160523-7.1.mga6

Source RPMs:
texlive-20160523-7.1.mga6.src.rpm

Assignee: mageia => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Debian has issued an advisory for this on September 21:
https://www.debian.org/security/2018/dsa-4299

CC: (none) => mageia

Before updating installed all the packages, except the debug-info.
It seemed worth trying to familiarize myself with the utilities before updating, so...

$ luatex refcard.tex refcard.pdf
Failed because luatex.fmt was missing.  Found command to generate it:

$ luatex -ini luatex.ini
Failed because luatex.ini was missing.
$ cp /usr/share/texmf-dist/tex/generic/tex-ini-files/luatex.ini

$ luatex -ini luatex.ini
Failed because load-unicode-data.tex is missing.
Downloaded that from mirrors.ibiblio.org/CTAN/macros/generic/unicode-data/load-unicode-data.tex.

$ luatex -ini luatex.ini
This is LuaTeX, Version 0.95.0 (TeX Live 2016/Mageia)  (INITEX)
 restricted system commands enabled.
(./luatex.ini (/usr/share/texmf-dist/tex/generic/tex-ini-files/luatexconfig.tex
(/usr/share/texmf-dist/tex/generic/config/pdftexconfig.tex))
(/usr/share/texmf-dist/tex/generic/config/luatexiniconfig.tex)
(./load-unicode-data.tex 
load-unicode-data.tex v1.7 (2018-06-09)
Reading Unicode data
# UnicodeData-11.0.0.txt
# Downloaded 2018-06-09 06:00:00 GMT [JAW]
) (/usr/share/texmf-dist/tex/plain/etex/etex.src
(/usr/share/texmf-dist/tex/plain/base/plain.tex
Preloading the plain format: codes, registers, parameters, fonts, more fonts,
! Font \preloaded=manfnt not loadable: metric data not found or bad.
<to be read again> 
\par 
l.468 
    
? 
Ctrl-D

Don't know where to go with this but shall try out the other commands.

CC: (none) => tarazed25

Before update:

$ pdftex refcard.tex
$ pdftex refcard.tex
This is pdfTeX, Version 3.14159265-2.6-1.40.17 (TeX Live 2016/Mageia) (preloaded format=pdftex)
 restricted \write18 enabled.

kpathsea: Running mktexfmt pdftex.fmt
mktexfmt: mktexfmt is using the following fmtutil.cnf files (in precedence order):
mktexfmt:   /usr/share/texmf-dist/web2c/fmtutil.cnf
mktexfmt: mktexfmt is using the following fmtutil.cnf file for writing changes:
mktexfmt:   /home/lcl/.texlive2013/texmf-config/web2c/fmtutil.cnf
mktexfmt [INFO]: writing formats under /home/lcl/.texlive2013/texmf-var/web2c
mktexfmt [INFO]: --- remaking pdftex with pdftex
mktexfmt: running `pdftex -ini   -jobname=pdftex -progname=pdftex -translate-file=cp227.tcx *pdfetex.ini' ...
[...]
kpathsea: Running mktexmf manfnt
! I can't find file `manfnt'.
<*> ...:=ljfour; mag:=1; nonstopmode; input manfnt
                                                  
Please type another input file name
! Emergency stop.
<*> ...:=ljfour; mag:=1; nonstopmode; input manfnt
[...]                                                  
? 
! Emergency stop.
<to be read again> 
                   \par 
l.468 
      
!  ==> Fatal error occurred, no output PDF file produced!
[...]
I can't find the format file `pdftex.fmt'!

Looks like there is something very wrong here - no idea what.

where does this file refcard.tex come from?
Looks like it searches a font. Maybe you have to run mktexlsr (as root), which will update this structure. This is enhanced in cauldron, but I don't want to push all these fixes and changes to mga6. In mga6, I just want to fix this security issue ;)

In reply to Marc in comment #6:

refcard.tex is a specimen that I have had hanging around for ages.  I do not know its provenance but would guess that it was originally generated from refcard.pdf and that would have been downloaded from the net at some time.  

See attachment.  It means very little to me - over 30 years since I used LaTeX in production.

Created attachment 10396 [details]
Emacs cheat sheet

I also checked a tex file picked at random from the system files:
/usr/share/texmf-dist/tex/plain/base/fontchart.tex

No result with that either.

# mktexlsr
mktexlsr: Updating /etc/texmf/ls-R... 
mktexlsr: Updating /usr/share/texmf-dist/ls-R... 
mktexlsr: Updating /usr/share/texmf-local/ls-R... 
mktexlsr: Updating /var/lib/texmf/ls-R... 
mktexlsr: Done.

That did not help.
I shall update the packages when they hit the mirrors.

I still use tex for presentations, and my latest presentation still "compiles".
The documentation from emacs, your file or /usr/share/emacs/24.5/etc/refcards does not. 

(./pdflayout.sty (/usr/share/texmf-dist/tex/generic/oberdiek/ifpdf.sty

LaTeX Warning: You have requested package `',
               but the package provides `ifpdf'.
)) (./emacsver.tex) [3 columns per page]
! Undefined control sequence.
l.156     \nopagenumbers


=> it looks like one of them has some incompatible changes.

e.g.
pdflatex /usr/share/texmf-dist/tex/latex/beamer/emulation/examples/beamerexample-foils.tex

or
pdflatex /usr/share/texmf-dist/./tex/latex/base/testpage.tex

should work.

Before updating I had to rectify something.  All the libraries installed were 32-bit - failed to notice earlier.  Been alive too long!  Installed the 64-bit libraries and ran the update.

pdftex fails but 
$ luatex refcard.tex refcard.pdf
succeeded in generating a readable PDF file.
$ pdftex fontchart.tex 
Failed  with the message "I can't find the format file `pdftex.fmt'!"

Ran mktexlsr again as well but it did not help.

$ pdflatex /usr/share/texmf-dist/./tex/latex/base/testpage.tex
That did work.  Can read testpage.pdf.  Thanks Marc.

The other example worked as well.  The beamerexample-foils.pdf contains a four-page slideshow.

luatex has problems with the beamer file and stops on a whole series of undefined control sequences, starting with:
! Undefined control sequence.
l.22 \documentclass
                 {beamer}

So I guess you really need to know what you are doing with this stuff.  On the whole it looks like it works.

I shall give this the OK if you would confirm that this is enough testing Marc.

yep, that looks quite good to me, afaik luatex is broken in mga6. At least we are in the same shape as before the update :)

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0397.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED