Debian has issued an advisory on May 20: https://www.debian.org/security/2023/dsa-5406 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Assigning to Marc who is nominally responsible for texlive.
Assignee: bugsquad => mageia
RedHat has issued an advisory for this today (June 19): https://access.redhat.com/errata/RHSA-2023:3661
Ubuntu has issued an advisory for this on May 30: https://ubuntu.com/security/notices/USN-6115-1
I'm going to check that. I was busy, sorry.
Updated texlive packages fix security vulnerability: Any document compiled with older versions of LuaTeX can execute arbitrary shell commands, even with shell escape disabled. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32700 https://www.debian.org/security/2023/dsa-5406 https://tug.org/~mseven/luatex.html ======================== Updated packages in core/updates_testing: ======================== MGA8: lib64kpathsea6-20200406-9.1.mga8 lib64ptexenc1-debuginfo-20200406-9.1.mga8 lib64kpathsea-devel-20200406-9.1.mga8 lib64texlua-devel-20200406-9.1.mga8 lib64ptexenc1-20200406-9.1.mga8 lib64synctex2-20200406-9.1.mga8 lib64kpathsea6-debuginfo-20200406-9.1.mga8 lib64synctex-devel-20200406-9.1.mga8 lib64ptexenc-devel-20200406-9.1.mga8 lib64texlua5-20200406-9.1.mga8 lib64synctex2-debuginfo-20200406-9.1.mga8 lib64texlua5-debuginfo-20200406-9.1.mga8 texlive-20200406-9.1.mga8 texlive-debugsource-20200406-9.1.mga8 texlive-debuginfo-20200406-9.1.mga8 MGA9: lib64ptexenc1-debuginfo-20220321-7.mga9 lib64kpathsea6-20220321-7.mga9 lib64texlua-devel-20220321-7.mga9 lib64synctex2-20220321-7.mga9 lib64kpathsea-devel-20220321-7.mga9 lib64ptexenc-devel-20220321-7.mga9 lib64synctex-devel-20220321-7.mga9 lib64kpathsea6-debuginfo-20220321-7.mga9 lib64ptexenc1-20220321-7.mga9 lib64synctex2-debuginfo-20220321-7.mga9 lib64texlua5-20220321-7.mga9 lib64texlua5-debuginfo-20220321-7.mga9 texlive-20220321-7.mga9 texlive-debugsource-20220321-7.mga9 texlive-debuginfo-20220321-7.mga9 SRPM: texlive-20200406-9.1.mga8.src.rpm texlive-20220321-7.mga9.src.rpm
CVE: (none) => CVE-2023-32700Assignee: mageia => qa-bugs
CC: (none) => mageia
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Following Len's bug 233655 running into similar problems $ luatex refcard.tex refcard.pdf This is LuaTeX, Version 1.12.0 (TeX Live 2020/Mageia) restricted system commands enabled. kpathsea: Running mktexfmt luatex.fmt mktexfmt: mktexfmt is using the following fmtutil.cnf files (in precedence order): mktexfmt: /usr/share/texmf-dist/web2c/fmtutil.cnf mktexfmt: mktexfmt is using the following fmtutil.cnf file for writing changes: mktexfmt: /home/tester8/.texlive2020/texmf-config/web2c/fmtutil.cnf mktexfmt [INFO]: writing formats under /home/tester8/.texlive2020/texmf-var/web2c mktexfmt [INFO]: --- remaking luatex with luatex mktexfmt: running `luatex -ini -jobname=luatex -progname=luatex luatex.ini' ... This is LuaTeX, Version 1.12.0 (TeX Live 2020/Mageia) (INITEX) restricted system commands enabled. (/usr/share/texmf-dist/tex/generic/tex-ini-files/luatex.ini (/usr/share/texmf-dist/tex/generic/tex-ini-files/luatexconfig.tex (/usr/share/texmf-dist/tex/generic/config/pdftexconfig.tex)) (/usr/share/texmf-dist/tex/generic/config/luatexiniconfig.tex) ! I can't find file `load-unicode-data.tex'. l.10 \input load-unicode-data.tex (Press Enter to retry, or Control-D to exit) Please type another input file name: ! Emergency stop. l.10 \input load-unicode-data.tex ! ==> Fatal error occurred, no output PDF file produced! Transcript written on luatex.log. mktexfmt [INFO]: log file copied to: /home/tester8/.texlive2020/texmf-var/web2c/luatex/luatex.log mktexfmt [ERROR]: running `luatex -ini -jobname=luatex -progname=luatex luatex.ini >&2 </dev/null' return status: 1 mktexfmt [ERROR]: returning error due to option --strict mktexfmt [INFO]: disabled formats: 5 mktexfmt [INFO]: not selected formats: 54 mktexfmt [INFO]: failed to build: 1 (luatex/luatex) mktexfmt [INFO]: total formats: 60 mktexfmt [INFO]: exiting with status 1 I can't find the format file `luatex.fmt'!
CC: (none) => herman.viaene
to compile latex files, you usally need texlive-collection-basic texlive-dist as well. They are not needed in every case and the dependancies are hard to get. And I don't want everybody to download 1GB, if the only need one of those binary tools included in tex.
Installed the M8 packages plus the texlive-dist and its dependency, then $ luatex refcard.tex refcard.pdf This is LuaTeX, Version 1.12.0 (TeX Live 2020/Mageia) restricted system commands enabled. (./refcard.tex [1 column per page] [1{/usr/share/texmf-dist/fonts/map/pdftex/up dmap/pdftex.map}] [2] [3] [4] [5] [6])</usr/share/texmf-dist/fonts/type1/public /amsfonts/cm/cmbx10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/c mmi10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr /share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr7.pfb></usr/share/texmf-dis t/fonts/type1/public/amsfonts/cm/cmsy7.pfb></usr/share/texmf-dist/fonts/type1/p ublic/amsfonts/cm/cmti10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts /cm/cmtt10.pfb> Output written on refcard.pdf (6 pages, 113049 bytes). Transcript written on refcard.log. The resulting pdf looks perfectly OK.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
What to do here? I can validate for Mageia 8, but I have no tests for Cauldron. And with Cauldron so close to RC, I'm not sure of the procedure with regard to that, anyway.
CC: (none) => andrewsfarm
@Thomas: the patch for mga8/9 are almost identical. The patch only affects luatex calls. If it really is broken, what I don't expect, since the patch is the same, we loose only a small piece of functionality.
OK, but as long as it has been assigned to QA, we at least should have a clean install/update for Cauldron, anyway. Just in case some underlying dependency has been missed, etc. It's happened before. I'll see if I can check that in Virtualbox later today. Right now, I have outdoor work to get done before the thunderstorms come this afternoon.
Ok, good luck with your outdoor work
Mga9-64 Plasma in VirtualBox. Used qarepo to download all but the debug packages. There were no installation issues. Giving this a mga9 OK, and validating.Advisory in comment 5.
CC: (none) => sysadmin-bugsWhiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OKKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0233.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED