Fwd: [USN-6695-1] TeX Live vulnerabilities
Bruno Voisin
bvoisin at icloud.com
Fri Mar 15 18:25:41 CET 2024
> Karl wrote:
>
> https://ubuntu.com/security/notices/USN-6695-1
>
> Calling "axodraw2" and "TeX Live" the same thing is bizarre.
>
> Anyway, if someone can unearth the actual patches from Ubuntu's
> byzantine set of links, I'm sure the author (John Collins) will be happy
> to apply them. I failed.
Trying to understand what this whole thing is about.
This seems a report about three separate vulnerabilities:
https://ubuntu.com/security/CVE-2019-18604
-> affects axohelp before version 1.3, and axodraw2 before 2.1.1b
-> tl 2024 contains axohelp 1.4 and axodraw2 2.1.1c, so we're safe
-> based on the affected Ubuntu versions, the problem seems solved since tl 2021
https://ubuntu.com/security/CVE-2023-32668
-> affects LuaTeX before version 1.17.0
-> tl 2024 contains LuateX 1.18.0, so we're safe
-> was fixed in May 2023 <https://tug.org/pipermail/tex-live/2023-May/049188.html>
https://ubuntu.com/security/CVE-2024-25262
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25262
-> affects ttfdump
-> that page mentions a commit by Karl on January 21 as a patch
https://github.com/TeX-Live/texlive-source/pull/63
https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605&view=co
-> but the issue was created on February 7 at cve.mitre, and published by Ubuntu on February 29, well after Karl's commit, so I wonder
-> the problem is attributed to a "texlive-bin commit c515e" but it's unclear what that means. Is this a commit to a texlive-bin package that would exist in Debian or Ubuntu? If so, I've no idea how to visualize that particular commit.
Bruno Voisin
More information about the tex-live
mailing list.