--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: texlive-...@packages.debian.org
Control: affects -1 + src:texlive-bin
[ Reason ]
- Fix a security leak.
- Fix a bug, which could lead to data loss (text in documents).
[ Impact ]
The texlive-bin package in Debian stable currently suffers from
the (low) security leak and the bug, which could lead to unexpected
results, when typesettings documents.
[ Tests ]
The texlive-bin package has an own test suite, which is provided
by upstream. It is called at the end of the build.
[ Risks ]
Both patches are contained in Debian unstable for a while, and
thouroughly tested.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- Fix for CVE-2024-25262, which is listes in the Debian Tracker.
- As described in https://tex.stackexchange.com/q/652458
https://tex.stackexchange.com/q/652458, luatex loses or changes
text (not formatting!) in particular circumstances.
[ Other ]
The debdiff is not really minimal, it contains a disabled patch. This
is how it is currently in the git repo. Let me know, if I should create
another package and remove that patch.
diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog
--- texlive-bin-2022.20220321.62855/debian/changelog 2023-06-27 22:07:12.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/changelog 2024-10-11 22:47:45.000000000 +0200
@@ -1,3 +1,11 @@
+texlive-bin (2022.20220321.62855-5.1+deb12u2) bookworm; urgency=medium
+
+ * Add patches from upstream for "luatex loses or changes text when
+ discretionaries with priorities are used" (Closes: #1041441).
+ * Add patch for CVE-2024-25262.
+
+ -- Hilmar Preuße <hill...@debian.org> Fri, 11 Oct 2024 22:47:45 +0200
+
texlive-bin (2022.20220321.62855-5.1+deb12u1) bookworm; urgency=medium
* Stop building *jit* binaries on i386 based arches to make TL installable
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/ad3b0d706c71bb6f3309a236e98e8fb644121bc6.patch texlive-bin-2022.20220321.62855/debian/patches/ad3b0d706c71bb6f3309a236e98e8fb644121bc6.patch
--- texlive-bin-2022.20220321.62855/debian/patches/ad3b0d706c71bb6f3309a236e98e8fb644121bc6.patch 1970-01-01 01:00:00.000000000 +0100
+++ texlive-bin-2022.20220321.62855/debian/patches/ad3b0d706c71bb6f3309a236e98e8fb644121bc6.patch 2024-10-11 22:41:06.000000000 +0200
@@ -0,0 +1,90 @@
+From ad3b0d706c71bb6f3309a236e98e8fb644121bc6 Mon Sep 17 00:00:00 2001
+From: Luigi Scarso <luigi.sca...@gmail.com>
+Date: Sat, 30 Jul 2022 14:48:29 +0000
+Subject: [PATCH] Take exception pre/port disc font from wordstart (H.Hagen).
+ Fixed some missed files in trunk from latest update from TexLive
+
+[[Split portion of a mixed commit.]]
+---
+ source/texk/web2c/luatexdir/ChangeLog | 3 ++
+ source/texk/web2c/luatexdir/lang/texlang.c | 28 +++++++++++++------
+ .../texk/web2c/luatexdir/luatex_svnversion.h | 2 +-
+ 3 files changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/source/texk/web2c/luatexdir/lang/texlang.c b/source/texk/web2c/luatexdir/lang/texlang.c
+index 67ef25ca1..f9e53bbba 100644
+--- a/texk/web2c/luatexdir/lang/texlang.c
++++ b/texk/web2c/luatexdir/lang/texlang.c
+@@ -358,7 +358,9 @@ static halfword insert_discretionary(halfword t, halfword pre, halfword post, ha
+ f = get_cur_font();
+ }
+ for (g = pre; g != null; g = vlink(g)) {
+- font(g) = f;
++ if (! font(g)) {
++ font(g) = f;
++ }
+ if (attr != null) {
+ delete_attribute_ref(node_attr(g));
+ node_attr(g) = attr;
+@@ -366,7 +368,9 @@ static halfword insert_discretionary(halfword t, halfword pre, halfword post, ha
+ }
+ }
+ for (g = post; g != null; g = vlink(g)) {
+- font(g) = f;
++ if (! font(g)) {
++ font(g) = f;
++ }
+ if (attr != null) {
+ delete_attribute_ref(node_attr(g));
+ node_attr(g) = attr;
+@@ -531,9 +535,14 @@ char *exception_strings(struct tex_language *lang)
+ The sequence from |wordstart| to |r| can contain only normal characters it
+ could be faster to modify a halfword pointer and return an integer
+
++ We now take the font from the wordstart (as in \LUAMETATEX) but leave the
++ rest as it is, because we don't want to break compatibility (end June 2022).
++ We make a copy now of the parent and hope for the best. Backporting would be
++ too intrusive so this has to do. It went unnoticed for ages anyway.
++
+ */
+
+-static halfword find_exception_part(unsigned int *j, unsigned int *uword, int len)
++static halfword find_exception_part(unsigned int *j, unsigned int *uword, int len, halfword parent)
+ {
+ halfword g = null, gg = null;
+ register unsigned i = *j;
+@@ -541,13 +550,16 @@ static halfword find_exception_part(unsigned int *j, unsigned int *uword, int le
+ i++;
+ while (i < (unsigned) len && uword[i + 1] != '}') {
+ if (g == null) {
+- gg = new_char(0, (int) uword[i + 1]);
++ /* gg = new_char(font(parent), (int) uword[i + 1]); */
++ gg = copy_node(parent);
+ g = gg;
+ } else {
+- halfword s = new_char(0, (int) uword[i + 1]);
++ /* halfword s = new_char(font(parent), (int) uword[i + 1]); */
++ halfword s = copy_node(parent);
+ couple_nodes(g, s);
+- g = vlink(g);
++ g = s;
+ }
++ character(g) = (int) uword[i + 1];
+ i++;
+ }
+ *j = ++i;
+@@ -614,12 +626,12 @@ static void do_exception(halfword wordstart, halfword r, char *replacement)
+ halfword gg, hh, replace = null;
+ int repl;
+ /*tex |pre| */
+- gg = find_exception_part(&i, uword, (int) len);
++ gg = find_exception_part(&i, uword, (int) len, wordstart);
+ if (i == len || uword[i + 1] != '{') {
+ tex_error("broken pattern 1", PAT_ERROR);
+ }
+ /*tex |post| */
+- hh = find_exception_part(&i, uword, (int) len);
++ hh = find_exception_part(&i, uword, (int) len, wordstart);
+ if (i == len || uword[i + 1] != '{') {
+ tex_error("broken pattern 2", PAT_ERROR);
+ }
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/be0377afd9573be47495ac97be42ecc4dae5f0a2.patch texlive-bin-2022.20220321.62855/debian/patches/be0377afd9573be47495ac97be42ecc4dae5f0a2.patch
--- texlive-bin-2022.20220321.62855/debian/patches/be0377afd9573be47495ac97be42ecc4dae5f0a2.patch 1970-01-01 01:00:00.000000000 +0100
+++ texlive-bin-2022.20220321.62855/debian/patches/be0377afd9573be47495ac97be42ecc4dae5f0a2.patch 2024-10-11 22:41:06.000000000 +0200
@@ -0,0 +1,24 @@
+From be0377afd9573be47495ac97be42ecc4dae5f0a2 Mon Sep 17 00:00:00 2001
+From: Luigi Scarso <luigi.sca...@gmail.com>
+Date: Sat, 30 Jul 2022 20:41:39 +0000
+Subject: [PATCH] Backtrack replace pointer when successive disc in exceptions
+ (H. Hagen)
+
+---
+ source/texk/web2c/luatexdir/ChangeLog | 3 +++
+ source/texk/web2c/luatexdir/lang/texlang.c | 1 +
+ source/texk/web2c/luatexdir/luatex_svnversion.h | 2 +-
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source/texk/web2c/luatexdir/lang/texlang.c b/source/texk/web2c/luatexdir/lang/texlang.c
+index f9e53bbba..a0d067251 100644
+--- a/texk/web2c/luatexdir/lang/texlang.c
++++ b/texk/web2c/luatexdir/lang/texlang.c
+@@ -705,6 +705,7 @@ static void do_exception(halfword wordstart, halfword r, char *replacement)
+ /*tex check if we have two exceptions in a row */
+ if (uword[i + 1] == '{') {
+ i--;
++t = alink(t);
+ }
+ } else {
+ t = vlink(t);
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/CVE-2024-25262.diff texlive-bin-2022.20220321.62855/debian/patches/CVE-2024-25262.diff
--- texlive-bin-2022.20220321.62855/debian/patches/CVE-2024-25262.diff 1970-01-01 01:00:00.000000000 +0100
+++ texlive-bin-2022.20220321.62855/debian/patches/CVE-2024-25262.diff 2024-10-11 22:41:06.000000000 +0200
@@ -0,0 +1,22 @@
+From: https://github.com/TeX-Live/texlive-source/pull/63/commits/87bd510f8b8acff7096159423f87251d82288700
+Date: Fri, 16 Jan 2024 00:00:00 +0100
+Subject: Fix for CVE-2024-25262.
+Origin: upstream
+
+diff --git a/texk/ttfdump/libttf/hdmx.c b/texk/ttfdump/libttf/hdmx.c
+index d91b98eb1b..a0ee60ca59 100644
+--- a/texk/ttfdump/libttf/hdmx.c
++++ b/texk/ttfdump/libttf/hdmx.c
+@@ -44,7 +44,11 @@ static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
+ hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
+ hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
+ hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE);
+- fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->numGlyphs+1,fp);
++ //if hdmx->numGlyphs+1 > hdmx->size,it will coredump,so we read min(hdmx->numGlyphs+1,hdmx->size) and truncate the remainder.
++ if (hdmx->numGlyphs+1 <= hdmx->size)
++ fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->numGlyphs+1,fp);
++ else
++ fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->size,fp);
+ }
+ }
+
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/series texlive-bin-2022.20220321.62855/debian/patches/series
--- texlive-bin-2022.20220321.62855/debian/patches/series 2023-06-27 22:07:12.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/patches/series 2024-10-11 22:41:06.000000000 +0200
@@ -15,3 +15,6 @@
wrong-manual-section_axohelp.1
CVE-2023-32700.patch
CVE-2023-32668.patch
+#ad3b0d706c71bb6f3309a236e98e8fb644121bc6.patch
+be0377afd9573be47495ac97be42ecc4dae5f0a2.patch
+CVE-2024-25262.diff
signature.asc
Description: PGP signature
--- End Message ---
