Version in base suite: 2022.20220321.62855-5.1 Base version: texlive-bin_2022.20220321.62855-5.1 Target version: texlive-bin_2022.20220321.62855-5.1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/texlive-bin/texlive-bin_2022.20220321.62855-5.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/texlive-bin/texlive-bin_2022.20220321.62855-5.1+deb12u1.dsc changelog | 9 + control | 3 patches/CVE-2023-32668.patch | 234 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 rules | 2 5 files changed, 246 insertions(+), 3 deletions(-) diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog --- texlive-bin-2022.20220321.62855/debian/changelog 2023-05-18 21:15:13.000000000 +0000 +++ texlive-bin-2022.20220321.62855/debian/changelog 2023-06-27 20:07:12.000000000 +0000 @@ -1,3 +1,12 @@ +texlive-bin (2022.20220321.62855-5.1+deb12u1) bookworm-proposed-updates; urgency=medium + + * Stop building *jit* binaries on i386 based arches to make TL installable + on computers not supporting sse2 (Closes: #1035461). + * Add patch for CVE-2023-32668: disable socket in luatex by default + (Closes: #1036470). + + -- Hilmar Preusse Tue, 27 Jun 2023 22:07:12 +0200 + texlive-bin (2022.20220321.62855-5.1) unstable; urgency=high * Non-maintainer upload. diff -Nru texlive-bin-2022.20220321.62855/debian/control texlive-bin-2022.20220321.62855/debian/control --- texlive-bin-2022.20220321.62855/debian/control 2023-05-18 21:15:13.000000000 +0000 +++ texlive-bin-2022.20220321.62855/debian/control 2023-06-27 20:05:10.000000000 +0000 @@ -50,13 +50,12 @@ libtexlua53-5 (<< ${source:Version}.1~), libtexluajit2 (>= ${source:Version}) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc], libtexluajit2 (<< ${source:Version}.1~) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc], - sse2-support [i386], t1utils, tex-common, perl:any, ${shlibs:Depends}, ${misc:Depends} Recommends: texlive-base, dvisvgm Replaces: ptex-bin, mendexk, jmpost, luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329) Conflicts: mendexk, makejvf, jmpost -Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329) +Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329), context (<= 2021.03.05.20230120+dfsg-1) Provides: texlive-base-bin, makejvf, mendexk, jmpost, luatex Description: Binaries for TeX Live This package contains all the binaries of TeX Live packages. diff -Nru texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch --- texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 1970-01-01 00:00:00.000000000 +0000 +++ texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 2023-06-27 20:05:10.000000000 +0000 @@ -0,0 +1,234 @@ +--- texlive-bin.orig/texk/web2c/luatexdir/lua/loslibext.c ++++ texlive-bin/texk/web2c/luatexdir/lua/loslibext.c +@@ -1046,6 +1046,59 @@ + return ret; + } + ++/* socket.sleep and socket.gettime */ ++/* are duplicated here, and they are */ ++/* always available (the socket library */ ++/* can be nil in some setups) */ ++#ifdef _WIN32 ++static int socket_timeout_lua_sleep(lua_State *L) ++{ ++ double n = luaL_checknumber(L, 1); ++ if (n < 0.0) n = 0.0; ++ if (n < DBL_MAX/1000.0) n *= 1000.0; ++ if (n > INT_MAX) n = INT_MAX; ++ Sleep((int)n); ++ return 0; ++} ++static double socket_timeout_gettime(void) { ++ FILETIME ft; ++ double t; ++ GetSystemTimeAsFileTime(&ft); ++ /* Windows file time (time since January 1, 1601 (UTC)) */ ++ t = ft.dwLowDateTime/1.0e7 + ft.dwHighDateTime*(4294967296.0/1.0e7); ++ /* convert to Unix Epoch time (time since January 1, 1970 (UTC)) */ ++ return (t - 11644473600.0); ++} ++#else ++static int socket_timeout_lua_sleep(lua_State *L) ++{ ++ double n = luaL_checknumber(L, 1); ++ struct timespec t, r; ++ if (n < 0.0) n = 0.0; ++ if (n > INT_MAX) n = INT_MAX; ++ t.tv_sec = (int) n; ++ n -= t.tv_sec; ++ t.tv_nsec = (int) (n * 1000000000); ++ if (t.tv_nsec >= 1000000000) t.tv_nsec = 999999999; ++ while (nanosleep(&t, &r) != 0) { ++ t.tv_sec = r.tv_sec; ++ t.tv_nsec = r.tv_nsec; ++ } ++ return 0; ++} ++static double socket_timeout_gettime(void) { ++ struct timeval v; ++ gettimeofday(&v, (struct timezone *) NULL); ++ /* Unix Epoch time (time since January 1, 1970 (UTC)) */ ++ return v.tv_sec + v.tv_usec/1.0e6; ++} ++#endif ++static int socket_timeout_lua_gettime(lua_State *L) ++{ ++ lua_pushnumber(L, socket_timeout_gettime()); ++ return 1; ++} ++ + + /* + ** ====================================================== +@@ -1185,8 +1238,16 @@ + lua_setfield(L, -2, "execute"); + lua_pushcfunction(L, os_tmpdir); + lua_setfield(L, -2, "tmpdir"); ++ + lua_pushcfunction(L, io_kpse_popen); + lua_setfield(L, -2, "kpsepopen"); + ++ lua_pushcfunction(L, socket_timeout_lua_sleep); ++ lua_setfield(L, -2, "socketsleep"); ++ ++ lua_pushcfunction(L, socket_timeout_lua_gettime); ++ lua_setfield(L, -2, "socketgettime"); ++ ++ + lua_pop(L, 1); /* pop the table */ + } +--- texlive-bin.orig/texk/web2c/luatexdir/lua/luainit.c ++++ texlive-bin/texk/web2c/luatexdir/lua/luainit.c +@@ -85,6 +85,8 @@ + " --lua=FILE load and execute a lua initialization script", + " --[no-]mktex=FMT disable/enable mktexFMT generation (FMT=tex/tfm)", + " --nosocket disable the lua socket library", ++ " --no-socket disable the lua socket library", ++ " --socket enable the lua socket library", + " --output-comment=STRING use STRING for DVI file comment instead of date (no effect for PDF)", + " --output-directory=DIR use existing DIR as the directory to write files in", + " --output-format=FORMAT use FORMAT for job output; FORMAT is 'dvi' or 'pdf'", +@@ -212,9 +214,30 @@ + #endif + + int safer_option = 0; +-int nosocket_option = 0; ++int nosocket_option = 1; ++int nosocket_cli_option = 0; ++int yessocket_cli_option = 0; ++int socket_bitmask = 0; + int utc_option = 0; + ++/*tex We use a bitmask for the socket library: |0000| and |1xxx| implies |--nosocket|, ++ otherwise the socket library is enabled. Default value is |0000|, i.e. |--nosocket|. ++*/ ++#define UPDATE_SOCKET_STATUS() do { \ ++ socket_bitmask = 0; \ ++ socket_bitmask = safer_option==1? (8+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = nosocket_cli_option==1? (4+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = (shellenabledp == 1 && restrictedshell == 0)?(2+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = yessocket_cli_option==1? (1+socket_bitmask):socket_bitmask;\ ++ if( socket_bitmask==0) { \ ++ nosocket_option = 1; \ ++ } else if ( socket_bitmask<4) { \ ++ nosocket_option = 0; \ ++ } else { \ ++ nosocket_option = 1; \ ++ } \ ++} while (0) ++ + /*tex + + Test whether getopt found an option ``A''. Assumes the option index is in the +@@ -242,7 +265,9 @@ + #endif + {"safer", 0, &safer_option, 1}, + {"utc", 0, &utc_option, 1}, +- {"nosocket", 0, &nosocket_option, 1}, ++ {"nosocket", 0, &nosocket_cli_option, 1}, ++ {"no-socket", 0, &nosocket_cli_option, 1}, ++ {"socket", 0, &yessocket_cli_option, 1}, + {"help", 0, 0, 0}, + {"ini", 0, &ini_version, 1}, + {"interaction", 1, 0, 0}, +@@ -524,14 +549,11 @@ + input_name = xstrdup(sargv[sargc-1]); + sargv[sargc-1] = normalize_quotes(input_name, "argument"); + } +- if (safer_option) /* --safer implies --nosocket */ +- nosocket_option = 1; ++ UPDATE_SOCKET_STATUS(); + return; + #endif + } +- /*tex |--safer| implies |--nosocket| */ +- if (safer_option) +- nosocket_option = 1; ++ UPDATE_SOCKET_STATUS(); + /*tex Finalize the input filename. */ + if (input_name != NULL) { + argv[optind] = normalize_quotes(input_name, "argument"); +@@ -980,6 +1002,7 @@ + shellenabledp = true; + restrictedshell = false; + safer_option = 0; ++ nosocket_option = 0; + } + /*tex + Get the current locale (it should be |C|) and save |LC_CTYPE|, |LC_COLLATE| +@@ -1148,6 +1171,7 @@ + } + free(v1); + } ++ UPDATE_SOCKET_STATUS(); + /*tex If shell escapes are restricted, get allowed cmds from cnf. */ + if (shellenabledp && restrictedshell == 1) { + v1 = NULL; +--- texlive-bin.orig/texk/web2c/luatexdir/lua/luastuff.c ++++ texlive-bin/texk/web2c/luatexdir/lua/luastuff.c +@@ -323,7 +323,8 @@ + /*tex + The socket and mime libraries are a bit tricky to open because they use a + load-time dependency that has to be worked around for luatex, where the C +- module is loaded way before the lua module. ++ module is loaded way before the lua module. ++ The mime library is always available, even if the socket library is not enabled. + */ + if (!nosocket_option) { + /* todo: move this to common */ +@@ -348,6 +349,23 @@ + lua_pop(L, 2); + /*tex preload the pure \LUA\ modules */ + luatex_socketlua_open(L); ++ } else { ++ lua_getglobal(L, "package"); ++ lua_getfield(L, -1, "loaded"); ++ if (!lua_istable(L, -1)) { ++ lua_newtable(L); ++ lua_setfield(L, -2, "loaded"); ++ lua_getfield(L, -1, "loaded"); ++ } ++ /*tex |package.loaded.mime = nil| */ ++ luaopen_mime_core(L); ++ lua_setfield(L, -2, "mime.core"); ++ lua_pushnil(L); ++ lua_setfield(L, -2, "mime"); ++ /*tex pop the table */ ++ lua_pop(L, 1); ++ /*tex preload the pure \LUA\ mime module */ ++ luatex_socketlua_safe_open(L); + } + luaopen_zlib(L); + luaopen_gzip(L); +--- texlive-bin.orig/texk/web2c/luatexdir/lua/luatex-api.h ++++ texlive-bin/texk/web2c/luatexdir/lua/luatex-api.h +@@ -123,6 +123,7 @@ + extern int luaopen_socket_core(lua_State * L); + extern int luaopen_mime_core(lua_State * L); + extern void luatex_socketlua_open(lua_State * L); ++extern void luatex_socketlua_safe_open(lua_State * L); + + extern int luaopen_img(lua_State * L); + extern int l_new_image(lua_State * L); +--- texlive-bin.orig/texk/web2c/luatexdir/luasocket/src/lua_preload.c ++++ texlive-bin/texk/web2c/luatexdir/luasocket/src/lua_preload.c +@@ -16,6 +16,7 @@ + + + extern void luatex_socketlua_open (lua_State *) ; ++extern void luatex_socketlua_safe_open (lua_State *) ; + #include "ftp_lua.c" + #include "headers_lua.c" + #include "http_lua.c" +@@ -47,3 +48,11 @@ + TEST(luatex_http_lua_open(L)); + TEST(luatex_ftp_lua_open(L)); + } ++ ++/* luatex_socketlua_safe_open: load safe modules */ ++/* of luasocket ( mime ). */ ++void ++luatex_socketlua_safe_open (lua_State *L) { ++ TEST(luatex_ltn12_lua_open(L)); ++ TEST(luatex_mime_lua_open(L)); ++} diff -Nru texlive-bin-2022.20220321.62855/debian/patches/series texlive-bin-2022.20220321.62855/debian/patches/series --- texlive-bin-2022.20220321.62855/debian/patches/series 2023-05-18 21:15:13.000000000 +0000 +++ texlive-bin-2022.20220321.62855/debian/patches/series 2023-06-27 20:05:10.000000000 +0000 @@ -14,3 +14,4 @@ bad-whatis-entry_xml2pmx.1 wrong-manual-section_axohelp.1 CVE-2023-32700.patch +CVE-2023-32668.patch diff -Nru texlive-bin-2022.20220321.62855/debian/rules texlive-bin-2022.20220321.62855/debian/rules --- texlive-bin-2022.20220321.62855/debian/rules 2023-05-18 21:15:13.000000000 +0000 +++ texlive-bin-2022.20220321.62855/debian/rules 2023-06-27 20:05:10.000000000 +0000 @@ -12,7 +12,7 @@ # all cases. We have now two ways to test for where to build. # One by disabling on the other platforms, one by whitelisting # and building only on some platforms. -LUAJIT_GOOD_ARCHS := amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc +LUAJIT_GOOD_ARCHS := amd64 armel armhf kfreebsd-amd64 powerpc # In case one wants to build with old automake (<< 1.13.1), the following # variable has to be set. By default the debian/control requires high