Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 906712 (CVE-2023-32668, CVE-2023-32700)

Summary: <app-text/texlive-core-2021-r7: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: aballier, mail, tex
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://tug.org/~mseven/luatex.html
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 836779, 907240    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-19 03:15:55 UTC 
CVE-2023-32668 (https://tug.org/pipermail/tex-live/2023-May/049188.html):

LuaTeX before 1.17.0 enables the socket library by default.

There is also CVE-2023-32700, which is remote code execution fixed in
luatex-1.17.0, though I'm not certain how that maps to our versioning.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-19 05:14:42 UTC 
commit 96fe8d6e52f342b6764536aca58ddd563df3e278 (HEAD -> master, origin/master, origin/HEAD)
Author: Sam James <sam@gentoo.org>
Date:   Fri May 19 06:01:11 2023 +0100

    app-text/texlive-core: patch CVE-2023-32700

    This does not fix CVE-2023-32668 which changes behaviour so must be handled
    in a new version (>= 2023).

    Bug: https://bugs.gentoo.org/836779
    Bug: https://bugs.gentoo.org/906712
    Signed-off-by: Sam James <sam@gentoo.org>
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-20 03:30:30 UTC 
CVE-2023-32668 will need us to bump to TL-2023.
Comment 3 Hans de Graaff gentoo-dev Security 2024-12-14 07:36:49 UTC 
commit cf787b5efd616d6d71d6d0734cb126d7b404b2e2
Author: Florian Schmaus <flow@gentoo.org>
Date:   Sun Dec 8 11:54:35 2024 +0100

    app-text/texlive-core: drop 2021-r6, 2021-r7
    
    Signed-off-by: Florian Schmaus <flow@gentoo.org>