#18006 closed enhancement (fixed)
texlive: luatex security fix
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
On Tuesday on the tlbuild list Karl Berry posted a mail starting
Hello TL builders, Some issues have been found in luatex (obscure ways to work around some security features; thanks to Max Chernoff), so we need to rebuild. Luigi has committed fixes to the sources, and labeled the new luatex version 1.17.0. All variants of the engine are affected, so there are four binaries to update: luatex luahbtex luajitex luajithbtex FYI, the change that's most likely to be noticeable is that the socket library is now disabled by default; a new option --socket enables it, as well as --shell-escape (not --shell-restricted). In addition, the mime library is now always available, and new functions os.socketsleep and os.socketgettime are also always available. I will put a summary at https://tug.org/texlive/bugs.html after the binaries are committed. We need to rebuild from branch2023 (committed in r66984), because too many unrelated changes have been made to the trunk.
Looking at the git mirror of the source, the unrelated changes include moving stuff to 2024, various bug fixes including the uptex test, and other fixes where the main part is in svn master (not in the git mirror) - identifiable because the only change in the git mirror is a version change in linked_scripts.
I don't like patching multiple items in texmf-dist, so I started by creating only a security_fix patch for the source (two commits for luatex, v1.16.1 and 1.17.9, plus updated NEWS listing what had changed). Builds all my test files which use luatex variants. But then I tried my mkiv context test scripts, both failed.
Asked on texlive, following that Karl clarified a switch I'd asked about (it is used when luatex is invoked) and made a commit to one of the scripts. I've now got a (very messy) sed to update that in texmf-dist, and my context test files now complete.
I estimate this should be described as 'medium severity'. Raising the ticket now since it is publically mentioned at [ https://tug.org/texlive/bugs.html].
The binary will need a Note: for anyone using luatex (if version is less than 1.17.0, use tlmgr to update, and if using context (luametatex) a further tlmgr update may be required.
Will try to commit this in the next few days.
Change History (6)
comment:1 by , 12 months ago
follow-up: 3 comment:2 by , 12 months ago
I can successfully build texlive with the patch in patches.git and use lualatex to render some of my docs. But I don't know how to test it systematically or analysis if the security vuln. is fixed.
comment:3 by , 12 months ago
Replying to Xi Ruoyao:
I can successfully build texlive with the patch in patches.git and use lualatex to render some of my docs. But I don't know how to test it systematically or analysis if the security vuln. is fixed.
Thanks. Neither do I. From Karl's reply to me at https://tug.org/pipermail/tex-live/2023-May/049196.html the presence of new option --socket shown in 'luatex--help' appears to indicate that the fix is available (i.e. v1.17.0).
I've now cloned the full mirror from texlive.info - that was more than 60GB while I was downloading, at which point I got worried about space and cleared out various other items. After that it was down to 41GB (!), and finished at 53GB. Looking at the commits I'd reviewed from the texlive-source mirror, obviously the hashes now differ. Reviewing them at texlive.info I can see that LuaTeX 1.17.0 also updated:
texmf-dist/doc/luatex/base/luatex-fontloader.tex
texmf-dist/doc/luatex/base/luatex-languages.tex
texmf-dist/doc/luatex/base/luatex-lua.tex
but since those are only documentation, I'm not inclined to redo the patch.
comment:4 by , 12 months ago
Book update in 9eed74cc6b06a45ad8c6a881dec105281d446c8c 11.3-473
Keeping open until I have done a Security Advisory and posted to blfs-support.
comment:5 by , 12 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Security Advisory SA 11.3-024.
I've posted on -support (also asking about context / possible removal - copied to -dev for that)
Forgot to add that (of course) all the extra programs (asy, biber, dvisvgm, xindy) need to be reinstalled, removing /opt/texlive/2023 is the only supported option for reinstallign the source.