Hi Bastien On Wed, Oct 30, 2024 at 08:56:49AM +0000, ro...@debian.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian LTS Advisory DLA-3941-1 debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Bastien Roucariès > October 29, 2024 https://wiki.debian.org/LTS > - ------------------------------------------------------------------------- > > Package : texlive-bin > Version : 2020.20200327.54578-7+deb11u2 > CVE ID : CVE-2023-32668 CVE-2024-25262 > Debian Bug : 1036470 1064517 > > texlive, a popular software distribution for the TeX typesetting system > that includes major TeX-related programs, macro packages, and fonts, > was affected by two vulnerabilties. > > CVE-2023-32668 > > A document (compiled with the default settings) > was allowed to make arbitrary network requests. > This occurs because full access to the socket library was > permitted by default, as stated in the documentation.
This might actually need a followup for src:context similar to what was done for bookworm once fixing the CVE (was done in a point release doe to beeing no-dsa). The problem is highlighted here: https://www.maxchernoff.ca/p/luatex-vulnerabilities#luasocket When you install texlive-binaries and context in bullseye: # apt-get install context texlive-binaries [...] Setting up texlive-binaries (2020.20200327.54578-7+deb11u2) ... [...] Setting up texlive-metapost (2020.20210202-3) ... Setting up texlive-luatex (2020.20210202-3) ... Setting up texlive-plain-generic (2020.20210202-3) ... Setting up context (2020.03.10.20200331-1) ... Running mtxrun --generate. This may take some time... done. Pregenerating ConTeXt MarkIV format. This may take some time... will hang here. In bookworm for src:context you have the following change as well (which might need adaption for older verisons); https://sources.debian.org/src/context/2021.03.05.20230120%2Bdfsg-1%2Bdeb12u1/debian/patches/enable_socket_in_mtxrun/ Can you have a look? Regards, Salvatore
