diff --git a/CVE-2023-32668.patch b/CVE-2023-32668.patch new file mode 100644 index 0000000000000000000000000000000000000000..5d34f13e3182de53e88a835288da30ac25be14c7 --- /dev/null +++ b/CVE-2023-32668.patch @@ -0,0 +1,243 @@ +Origin: https://salsa.debian.org/lts-team/packages/texlive-bin/-/blob/debian/2020.20200327.54578-7+deb11u2/debian/patches/CVE-2023-32668.patch?ref_type=tags + +diff --git a/texlive-20180414-source/texk/web2c/luatexdir/lua/loslibext.c b/texlive-20180414-source/texk/web2c/luatexdir/lua/loslibext.c +index e6bcfb0..d6c8f90 100644 +--- a/texlive-20180414-source/texk/web2c/luatexdir/lua/loslibext.c ++++ b/texlive-20180414-source/texk/web2c/luatexdir/lua/loslibext.c +@@ -1013,6 +1013,59 @@ static int os_execute(lua_State * L) + return ret; + } + ++/* socket.sleep and socket.gettime */ ++/* are duplicated here, and they are */ ++/* always available (the socket library */ ++/* can be nil in some setups) */ ++#ifdef _WIN32 ++static int socket_timeout_lua_sleep(lua_State *L) ++{ ++ double n = luaL_checknumber(L, 1); ++ if (n < 0.0) n = 0.0; ++ if (n < DBL_MAX/1000.0) n *= 1000.0; ++ if (n > INT_MAX) n = INT_MAX; ++ Sleep((int)n); ++ return 0; ++} ++static double socket_timeout_gettime(void) { ++ FILETIME ft; ++ double t; ++ GetSystemTimeAsFileTime(&ft); ++ /* Windows file time (time since January 1, 1601 (UTC)) */ ++ t = ft.dwLowDateTime/1.0e7 + ft.dwHighDateTime*(4294967296.0/1.0e7); ++ /* convert to Unix Epoch time (time since January 1, 1970 (UTC)) */ ++ return (t - 11644473600.0); ++} ++#else ++static int socket_timeout_lua_sleep(lua_State *L) ++{ ++ double n = luaL_checknumber(L, 1); ++ struct timespec t, r; ++ if (n < 0.0) n = 0.0; ++ if (n > INT_MAX) n = INT_MAX; ++ t.tv_sec = (int) n; ++ n -= t.tv_sec; ++ t.tv_nsec = (int) (n * 1000000000); ++ if (t.tv_nsec >= 1000000000) t.tv_nsec = 999999999; ++ while (nanosleep(&t, &r) != 0) { ++ t.tv_sec = r.tv_sec; ++ t.tv_nsec = r.tv_nsec; ++ } ++ return 0; ++} ++static double socket_timeout_gettime(void) { ++ struct timeval v; ++ gettimeofday(&v, (struct timezone *) NULL); ++ /* Unix Epoch time (time since January 1, 1970 (UTC)) */ ++ return v.tv_sec + v.tv_usec/1.0e6; ++} ++#endif ++static int socket_timeout_lua_gettime(lua_State *L) ++{ ++ lua_pushnumber(L, socket_timeout_gettime()); ++ return 1; ++} ++ + + /* + ** ====================================================== +@@ -1152,8 +1205,15 @@ void open_oslibext(lua_State * L) + lua_setfield(L, -2, "execute"); + lua_pushcfunction(L, os_tmpdir); + lua_setfield(L, -2, "tmpdir"); ++ + lua_pushcfunction(L, io_kpse_popen); + lua_setfield(L, -2, "kpsepopen"); + ++ lua_pushcfunction(L, socket_timeout_lua_sleep); ++ lua_setfield(L, -2, "socketsleep"); ++ ++ lua_pushcfunction(L, socket_timeout_lua_gettime); ++ lua_setfield(L, -2, "socketgettime"); ++ + lua_pop(L, 1); /* pop the table */ + } +diff --git a/texlive-20180414-source/texk/web2c/luatexdir/lua/luainit.w b/texlive-20180414-source/texk/web2c/luatexdir/lua/luainit.w +index dec76b0..157b8f8 100644 +--- a/texlive-20180414-source/texk/web2c/luatexdir/lua/luainit.w ++++ b/texlive-20180414-source/texk/web2c/luatexdir/lua/luainit.w +@@ -83,6 +83,8 @@ const_string LUATEX_IHELP[] = { + " --lua=FILE load and execute a lua initialization script", + " --[no-]mktex=FMT disable/enable mktexFMT generation (FMT=tex/tfm)", + " --nosocket disable the lua socket library", ++ " --no-socket disable the lua socket library", ++ " --socket enable the lua socket library", + " --output-comment=STRING use STRING for DVI file comment instead of date (no effect for PDF)", + " --output-directory=DIR use existing DIR as the directory to write files in", + " --output-format=FORMAT use FORMAT for job output; FORMAT is 'dvi' or 'pdf'", +@@ -198,9 +200,31 @@ char *jithash_hashname = NULL; + #endif + + int safer_option = 0; +-int nosocket_option = 0; ++int nosocket_option = 1; ++int nosocket_cli_option = 0; ++int yessocket_cli_option = 0; ++int socket_bitmask = 0; + int utc_option = 0; + ++/*tex We use a bitmask for the socket library: |0000| and |1xxx| implies |--nosocket|, ++ otherwise the socket library is enabled. Default value is |0000|, i.e. |--nosocket|. ++*/ ++#define UPDATE_SOCKET_STATUS() do { \ ++ socket_bitmask = 0; \ ++ socket_bitmask = safer_option==1? (8+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = nosocket_cli_option==1? (4+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = (shellenabledp == 1 && restrictedshell == 0)?(2+socket_bitmask):socket_bitmask;\ ++ socket_bitmask = yessocket_cli_option==1? (1+socket_bitmask):socket_bitmask;\ ++ if( socket_bitmask==0) { \ ++ nosocket_option = 1; \ ++ } else if ( socket_bitmask<4) { \ ++ nosocket_option = 0; \ ++ } else { \ ++ nosocket_option = 1; \ ++ } \ ++} while (0) ++ ++ + @ Reading the options. + + @ Test whether getopt found an option ``A''. +@@ -230,7 +254,9 @@ static struct option long_options[] = { + #endif + {"safer", 0, &safer_option, 1}, + {"utc", 0, &utc_option, 1}, +- {"nosocket", 0, &nosocket_option, 1}, ++ {"nosocket", 0, &nosocket_cli_option, 1}, ++ {"no-socket", 0, &nosocket_cli_option, 1}, ++ {"socket", 0, &yessocket_cli_option, 1}, + {"help", 0, 0, 0}, + {"ini", 0, &ini_version, 1}, + {"interaction", 1, 0, 0}, +@@ -497,13 +523,11 @@ static void parse_options(int ac, char **av) + input_name = xstrdup(sargv[sargc-1]); + sargv[sargc-1] = normalize_quotes(input_name, "argument"); + } +- if (safer_option) /* --safer implies --nosocket */ +- nosocket_option = 1; ++ UPDATE_SOCKET_STATUS(); + return; + #endif + } +- if (safer_option) /* --safer implies --nosocket */ +- nosocket_option = 1; ++ UPDATE_SOCKET_STATUS(); + /* Finalize the input filename. */ + if (input_name != NULL) { + argv[optind] = normalize_quotes(input_name, "argument"); +@@ -931,6 +955,7 @@ void lua_initialize(int ac, char **av) + shellenabledp = true; + restrictedshell = false; + safer_option = 0; ++ nosocket_option = 0; + } + /* Get the current locale (it should be C ) */ + /* and save LC_CTYPE, LC_COLLATE and LC_NUMERIC. */ +@@ -1093,6 +1118,7 @@ void lua_initialize(int ac, char **av) + } + free(v1); + } ++ UPDATE_SOCKET_STATUS(); + /* If shell escapes are restricted, get allowed cmds from cnf. */ + if (shellenabledp && restrictedshell == 1) { + v1 = NULL; +diff --git a/texlive-20180414-source/texk/web2c/luatexdir/lua/luastuff.w b/texlive-20180414-source/texk/web2c/luatexdir/lua/luastuff.w +index a2b1dd1..249b3af 100644 +--- a/texlive-20180414-source/texk/web2c/luatexdir/lua/luastuff.w ++++ b/texlive-20180414-source/texk/web2c/luatexdir/lua/luastuff.w +@@ -304,6 +304,7 @@ void luainterpreter(void) + The socket and mime libraries are a bit tricky to open because they use a load-time + dependency that has to be worked around for luatex, where the C module is loaded + way before the lua module. ++ The mime library is always available, even if the socket library is not enabled. + */ + + if (!nosocket_option) { +@@ -327,6 +328,23 @@ void luainterpreter(void) + lua_pop(L, 2); /* pop the tables */ + + luatex_socketlua_open(L); /* preload the pure lua modules */ ++ } else { ++ lua_getglobal(L, "package"); ++ lua_getfield(L, -1, "loaded"); ++ if (!lua_istable(L, -1)) { ++ lua_newtable(L); ++ lua_setfield(L, -2, "loaded"); ++ lua_getfield(L, -1, "loaded"); ++ } ++ /*tex |package.loaded.mime = nil| */ ++ luaopen_mime_core(L); ++ lua_setfield(L, -2, "mime.core"); ++ lua_pushnil(L); ++ lua_setfield(L, -2, "mime"); ++ /*tex pop the table */ ++ lua_pop(L, 1); ++ /*tex preload the pure \LUA\ mime module */ ++ luatex_socketlua_safe_open(L); + } + + /* zlib. slightly odd calling convention */ +diff --git a/texlive-20180414-source/texk/web2c/luatexdir/lua/luatex-api.h b/texlive-20180414-source/texk/web2c/luatexdir/lua/luatex-api.h +index 36b2f59..5236a51 100644 +--- a/texlive-20180414-source/texk/web2c/luatexdir/lua/luatex-api.h ++++ b/texlive-20180414-source/texk/web2c/luatexdir/lua/luatex-api.h +@@ -98,6 +98,7 @@ extern int luaopen_profiler(lua_State * L); + extern int luaopen_socket_core(lua_State * L); + extern int luaopen_mime_core(lua_State * L); + extern void luatex_socketlua_open(lua_State * L); ++extern void luatex_socketlua_safe_open(lua_State * L); + + extern int luaopen_img(lua_State * L); + extern int l_new_image(lua_State * L); +diff --git a/texlive-20180414-source/texk/web2c/luatexdir/luasocket/src/lua_preload.c b/texlive-20180414-source/texk/web2c/luatexdir/luasocket/src/lua_preload.c +index e9433df..480fb3d 100644 +--- a/texlive-20180414-source/texk/web2c/luatexdir/luasocket/src/lua_preload.c ++++ b/texlive-20180414-source/texk/web2c/luatexdir/luasocket/src/lua_preload.c +@@ -15,6 +15,7 @@ int luatex_http_lua_open(lua_State*); + int luatex_ftp_lua_open(lua_State*); + + ++extern void luatex_socketlua_safe_open (lua_State *) ; + #include "ftp_lua.c" + #include "headers_lua.c" + #include "http_lua.c" +@@ -46,3 +47,11 @@ luatex_socketlua_open (lua_State *L) { + TEST(luatex_http_lua_open(L)); + TEST(luatex_ftp_lua_open(L)); + } ++ ++/* luatex_socketlua_safe_open: load safe modules */ ++/* of luasocket ( mime ). */ ++void ++luatex_socketlua_safe_open (lua_State *L) { ++ TEST(luatex_ltn12_lua_open(L)); ++ TEST(luatex_mime_lua_open(L)); ++} diff --git a/texlive-base.spec b/texlive-base.spec index 046bef579d98f4344edf635a2588cb6b59013c42..51e2ec7fdfef718c90386e870d72e9cc56808681 100644 --- a/texlive-base.spec +++ b/texlive-base.spec @@ -4,7 +4,7 @@ Name: texlive-base Version: 20180414 -Release: 33 +Release: 34 Epoch: 7 Summary: TeX formatting system License: ASL 2.0 and Artistic 2.0 and BSD and GFDL-1.1-or-later and GPL+ and GPLv2 and GPLv3 and Knuth-CTAN and LGPLv2+ and LGPLv3+ and LPPL-1.2 and LPPL-1.3 and LPPL-1.3c and OFL-1.1 and Public Domain @@ -381,6 +381,7 @@ Patch0004: texlive-base-CVE-2018-17407.patch Patch0005: remove-support-of-poppler.patch Patch0006: CVE-2023-32700.patch Patch0007: CVE-2023-46048.patch +Patch0008: CVE-2023-32668.patch BuildRequires: xz libXaw-devel libXi-devel ncurses-devel bison flex file perl(Digest::MD5) texinfo gcc-c++ BuildRequires: gd-devel freetype-devel libpng-devel zlib-devel @@ -8096,6 +8097,9 @@ done <<< "$list" %doc %{_datadir}/texlive/texmf-dist/doc/latex/yplan/ %changelog +* Mon Nov 17 2025 wangkai <13474090681@163.com> - 7:20180414-34 +- Fix CVE-2023-32668 + * Mon Aug 05 2024 wangkai <13474090681@163.com> - 7:20180414-33 - Fix CVE-2023-46048