Fwd: [USN-6695-1] TeX Live vulnerabilities

Norbert Preining norbert at preining.info
Tue Mar 19 09:55:08 CET 2024

Hi Bruno,

I really don't want to dig through more history here, Max has done an
awful lot of work, Ubuntu maintainers have as usually remain inactive
and leave it "to the community", and nobody has contacted the Debian
developers it seems (I am still on that mailing list).

So all in all, in my eyes another typical case of
	I am a security researcher and need for my PhD N >= 3 CVEs with
	my name on it ...

> -> but the issue was created on February 7 at cve.mitre, and published by Ubuntu on February 29, well after Karl's commit, so I wonder

People look at the code as it is in the Debian / Ubuntu repositories,
and most of the times do NOT check back whether upstream TeX Live has it
fixed already.

> -> the problem is attributed to a "texlive-bin commit c515e" but it's unclear what that means. Is this a commit to a texlive-bin package that would exist in Debian or Ubuntu? If so, I've no idea how to visualize that particular commit.

Probably the Debian git repo or the Ubuntu git repo commit hash that
made it in the last released version of it. If I want I could look it up
(at least for the Debian side), but I don't see a win here.

Best regards


PREINING Norbert                              https://www.preining.info
arXiv / Cornell University   +   IFMGA Guide   +   TU Wien  +  TeX Live
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

More information about the tex-live mailing list.