Fwd: [USN-6695-1] TeX Live vulnerabilities

Bruno Voisin bvoisin at icloud.com
Fri Mar 15 18:25:41 CET 2024

> Karl wrote:
>     https://ubuntu.com/security/notices/USN-6695-1
> Calling "axodraw2" and "TeX Live" the same thing is bizarre.
> Anyway, if someone can unearth the actual patches from Ubuntu's
> byzantine set of links, I'm sure the author (John Collins) will be happy
> to apply them. I failed.

Trying to understand what this whole thing is about.

This seems a report about three separate vulnerabilities:


-> affects axohelp before version 1.3, and axodraw2 before 2.1.1b

-> tl 2024 contains axohelp 1.4 and axodraw2 2.1.1c, so we're safe

-> based on the affected Ubuntu versions, the problem seems solved since tl 2021


-> affects LuaTeX before version 1.17.0

-> tl 2024 contains LuateX 1.18.0, so we're safe

-> was fixed in May 2023 <https://tug.org/pipermail/tex-live/2023-May/049188.html>


-> affects ttfdump

-> that page mentions a commit by Karl on January 21 as a patch


-> but the issue was created on February 7 at cve.mitre, and published by Ubuntu on February 29, well after Karl's commit, so I wonder

-> the problem is attributed to a "texlive-bin commit c515e" but it's unclear what that means. Is this a commit to a texlive-bin package that would exist in Debian or Ubuntu? If so, I've no idea how to visualize that particular commit.

Bruno Voisin

More information about the tex-live mailing list.