[SECURITY] [DSA 5406-1] texlive-bin security update

2023-05-2008:14:54

lists.debian.org

luatex

shell-escape

texlive-bin

debian

cve-2023-32700

security update

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

40.5%

JSON

Debian Security Advisory DSA-5406-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
May 20, 2023 https://www.debian.org/security/faq

Package : texlive-bin
CVE ID : CVE-2023-32700

Max Chernoff discovered that improperly secured shell-escape in LuaTeX
may result in arbitrary shell command execution, even with shell escape
disabled, if specially crafted tex files are processed.

For the stable distribution (bullseye), this problem has been fixed in
version 2020.20200327.54578-7+deb11u1.

We recommend that you upgrade your texlive-bin packages.

For the detailed security status of texlive-bin please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/texlive-bin

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian11mips64ellibkpathsea6< 2020.20200327.54578-7+deb11u1libkpathsea6_2020.20200327.54578-7+deb11u1_mips64el.deb
Debian11mips64ellibtexlua53< 2020.20200327.54578-7+deb11u1libtexlua53_2020.20200327.54578-7+deb11u1_mips64el.deb
Debian10alltexlive-bin< 2018.20181218.49446-1+deb10u1texlive-bin_2018.20181218.49446-1+deb10u1_all.deb
Debian10armhflibtexlua52-dev< 2018.20181218.49446-1+deb10u1libtexlua52-dev_2018.20181218.49446-1+deb10u1_armhf.deb
Debian11i386libkpathsea6< 2020.20200327.54578-7+deb11u1libkpathsea6_2020.20200327.54578-7+deb11u1_i386.deb
Debian11arm64libkpathsea6-dbgsym< 2020.20200327.54578-7+deb11u1libkpathsea6-dbgsym_2020.20200327.54578-7+deb11u1_arm64.deb
Debian10amd64libkpathsea6< 2018.20181218.49446-1+deb10u1libkpathsea6_2018.20181218.49446-1+deb10u1_amd64.deb
Debian11amd64libkpathsea6< 2020.20200327.54578-7+deb11u1libkpathsea6_2020.20200327.54578-7+deb11u1_amd64.deb
Debian11i386texlive-binaries-dbgsym< 2020.20200327.54578-7+deb11u1texlive-binaries-dbgsym_2020.20200327.54578-7+deb11u1_i386.deb
Debian11arm64texlive-binaries< 2020.20200327.54578-7+deb11u1texlive-binaries_2020.20200327.54578-7+deb11u1_arm64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	mips64el	libkpathsea6	< 2020.20200327.54578-7+deb11u1	libkpathsea6_2020.20200327.54578-7+deb11u1_mips64el.deb
Debian	11	mips64el	libtexlua53	< 2020.20200327.54578-7+deb11u1	libtexlua53_2020.20200327.54578-7+deb11u1_mips64el.deb
Debian	10	all	texlive-bin	< 2018.20181218.49446-1+deb10u1	texlive-bin_2018.20181218.49446-1+deb10u1_all.deb
Debian	10	armhf	libtexlua52-dev	< 2018.20181218.49446-1+deb10u1	libtexlua52-dev_2018.20181218.49446-1+deb10u1_armhf.deb
Debian	11	i386	libkpathsea6	< 2020.20200327.54578-7+deb11u1	libkpathsea6_2020.20200327.54578-7+deb11u1_i386.deb
Debian	11	arm64	libkpathsea6-dbgsym	< 2020.20200327.54578-7+deb11u1	libkpathsea6-dbgsym_2020.20200327.54578-7+deb11u1_arm64.deb
Debian	10	amd64	libkpathsea6	< 2018.20181218.49446-1+deb10u1	libkpathsea6_2018.20181218.49446-1+deb10u1_amd64.deb
Debian	11	amd64	libkpathsea6	< 2020.20200327.54578-7+deb11u1	libkpathsea6_2020.20200327.54578-7+deb11u1_amd64.deb
Debian	11	i386	texlive-binaries-dbgsym	< 2020.20200327.54578-7+deb11u1	texlive-binaries-dbgsym_2020.20200327.54578-7+deb11u1_i386.deb
Debian	11	arm64	texlive-binaries	< 2020.20200327.54578-7+deb11u1	texlive-binaries_2020.20200327.54578-7+deb11u1_arm64.deb