[EXT] Re: Fwd: [USN-6695-1] TeX Live vulnerabilities

Philip Taylor (RHUoL) P.Taylor at Rhul.Ac.Uk
Thu Mar 14 19:45:30 CET 2024 

Juergen Fenn via tex-live wrote:

Thanks for the hint. I'm afraid, Thunderbird cannot read these mail
attachments.


The key part is in base-64, so can be decoded online :
==========================================================================
Ubuntu Security Notice USN-6695-1
March 14, 2024

texlive-bin vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in TeX Live.

Software Description:
- texlive-bin: Binaries for TeX Live

Details:

It was discovered that TeX Live incorrectly handled certain memory
operations in the embedded axodraw2 tool. An attacker could possibly use
this issue to cause TeX Live to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS. (CVE-2019-18604)

It was discovered that TeX Live allowed documents to make arbitrary
network requests. If a user or automated system were tricked into opening a
specially crafted document, a remote attacker could possibly use this issue
to exfiltrate sensitive information, or perform other network-related
attacks. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2023-32668)

It was discovered that TeX Live incorrectly handled certain TrueType fonts.
If a user or automated system were tricked into opening a specially crafted
TrueType font, a remote attacker could use this issue to cause TeX Live to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2024-25262)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
   texlive-binaries                2023.20230311.66589-6ubuntu0.1
   texlive-binaries-sse2           2023.20230311.66589-6ubuntu0.1

Ubuntu 22.04 LTS:
   texlive-binaries                2021.20210626.59705-1ubuntu0.2

Ubuntu 20.04 LTS:
   texlive-binaries                2019.20190605.51237-3ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-6695-1
   CVE-2019-18604, CVE-2023-32668, CVE-2024-25262

Package Information:
   https://launchpad.net/ubuntu/+source/texlive-bin/2023.20230311.66589-6ubuntu0.1
   https://launchpad.net/ubuntu/+source/texlive-bin/2021.20210626.59705-1ubuntu0.2
   https://launchpad.net/ubuntu/+source/texlive-bin/2019.20190605.51237-3ubuntu0.2

--
Philip Taylor

This email, its contents and any attachments are intended solely for the addressee and may contain confidential information. In certain circumstances, it may also be subject to legal privilege. Any unauthorised use, disclosure, or copying is not permitted. If you have received this email in error, please notify us and immediately and permanently delete it. Any views or opinions expressed in personal emails are solely those of the author and do not necessarily represent those of Royal Holloway, University of London. It is your responsibility to ensure that this email and any attachments are virus free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20240314/45ddb187/attachment-0001.htm>

More information about the tex-live mailing list.