Ubuntu has issued an advisory on March 14: https://ubuntu.com/security/notices/USN-6695-1 Mageia 9 is also affected.
Source RPM: (none) => texlive-20220321-9.mga10.src.rpmCVE: (none) => CVE-2024-25262, CVE-2023-32668Whiteboard: (none) => MGA9TOOStatus comment: (none) => pa
Status comment: pa => Patches available from upstream and Ubuntu
Cannot see anything about patches on the project site. 32668 refers to these patches: Patches: upstream: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/b266ef076c96b382cd23a4c93204e247bb98626a upstream: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/e7df9234420973a2f69aac1b10cbb5f00b0cda4d upstream: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/da4492c789e25f05255d54e45447d3da79098967 25262 to this one: Patches: upstream: https://github.com/TeX-Live/texlive-source/pull/63 Marc looks to be the principle packager for Texlive, so assigning to you. Re-assign it if you see fit.
Assignee: bugsquad => mageia
Suggested advisory: ======================== The updated packages fix security vulnerabilities: LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5. (CVE-2023-32668) texlive-bin commit c515e was discovered to contain heap buffer overflow via the function ttfLoadHDMX:ttfdump. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted TTF file. (CVE-2024-25262) References: https://ubuntu.com/security/notices/USN-6695-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)kpathsea6-20220321-7.1.mga9 lib(64)kpathsea-devel-20220321-7.1.mga9 lib(64)ptexenc1-20220321-7.1.mga9 lib(64)ptexenc-devel-20220321-7.1.mga9 lib(64)synctex2-20220321-7.1.mga9 lib(64)synctex-devel-20220321-7.1.mga9 lib(64)texlua5-20220321-7.1.mga9 lib(64)texlua-devel-20220321-7.1.mga9 texlive-20220321-7.1.mga9 from SRPM: texlive-20220321-7.1.mga9.src.rpm
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)Source RPM: texlive-20220321-9.mga10.src.rpm => texlive-20220321-7.mga9.src.rpmStatus: NEW => ASSIGNEDAssignee: mageia => qa-bugsStatus comment: Patches available from upstream and Ubuntu => (none)
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion N onistallation issues. Used test file from bug 23655 and followed test from bug 31952. Run into the same problem. Installing additional texlive-dist package plus its dependencies ant then $ luatex refcard.tex refcard.pdf This is LuaTeX, Version 1.15.0 (TeX Live 2022/Mageia) restricted system commands enabled. (./refcard.tex [1 column per page] [1{/usr/share/texmf-dist/fonts/map/pdftex/up dmap/pdftex.map}] [2] [3] [4] [5] [6])</usr/share/texmf-dist/fonts/type1/public /amsfonts/cm/cmbx10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/c mmi10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr /share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr7.pfb></usr/share/texmf-dis t/fonts/type1/public/amsfonts/cm/cmsy7.pfb></usr/share/texmf-dist/fonts/type1/p ublic/amsfonts/cm/cmti10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts /cm/cmtt10.pfb> Output written on refcard.pdf (6 pages, 113049 bytes). Transcript written on refcard.log. Checked the resulting pdf, looks good.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0108.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED