[EXT] Re: Fwd: [USN-6695-1] TeX Live vulnerabilities

Zdenek Wagner zdenek.wagner at gmail.com
Thu Mar 14 20:29:15 CET 2024 

No, base64 is not a probem. The problem for me is an attachment with
missing or invalid Content-Type received from a person whom I do not
know. Opening such attachments is a security risk.

Zdeněk Wagner
https://www.zdenek-wagner.eu/

čt 14. 3. 2024 v 19:45 odesílatel Philip Taylor (RHUoL) via tex-live
<tex-live at tug.org> napsal:
>
> Juergen Fenn via tex-live wrote:
>
> Thanks for the hint. I'm afraid, Thunderbird cannot read these mail
> attachments.
>
> The key part is in base-64, so can be decoded online :
>
> ==========================================================================
> Ubuntu Security Notice USN-6695-1
> March 14, 2024
>
> texlive-bin vulnerabilities
> ==========================================================================
>
> A security issue affects these releases of Ubuntu and its derivatives:
>
> - Ubuntu 23.10
> - Ubuntu 22.04 LTS
> - Ubuntu 20.04 LTS
>
> Summary:
>
> Several security issues were fixed in TeX Live.
>
> Software Description:
> - texlive-bin: Binaries for TeX Live
>
> Details:
>
> It was discovered that TeX Live incorrectly handled certain memory
> operations in the embedded axodraw2 tool. An attacker could possibly use
> this issue to cause TeX Live to crash, resulting in a denial of service.
> This issue only affected Ubuntu 20.04 LTS. (CVE-2019-18604)
>
> It was discovered that TeX Live allowed documents to make arbitrary
> network requests. If a user or automated system were tricked into opening a
> specially crafted document, a remote attacker could possibly use this issue
> to exfiltrate sensitive information, or perform other network-related
> attacks. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
> (CVE-2023-32668)
>
> It was discovered that TeX Live incorrectly handled certain TrueType fonts.
> If a user or automated system were tricked into opening a specially crafted
> TrueType font, a remote attacker could use this issue to cause TeX Live to
> crash, resulting in a denial of service, or possibly execute arbitrary
> code. (CVE-2024-25262)
>
> Update instructions:
>
> The problem can be corrected by updating your system to the following
> package versions:
>
> Ubuntu 23.10:
>    texlive-binaries                2023.20230311.66589-6ubuntu0.1
>    texlive-binaries-sse2           2023.20230311.66589-6ubuntu0.1
>
> Ubuntu 22.04 LTS:
>    texlive-binaries                2021.20210626.59705-1ubuntu0.2
>
> Ubuntu 20.04 LTS:
>    texlive-binaries                2019.20190605.51237-3ubuntu0.2
>
> In general, a standard system update will make all the necessary changes.
>
> References:
>    https://ubuntu.com/security/notices/USN-6695-1
>    CVE-2019-18604, CVE-2023-32668, CVE-2024-25262
>
> Package Information:
>    https://launchpad.net/ubuntu/+source/texlive-bin/2023.20230311.66589-6ubuntu0.1
>    https://launchpad.net/ubuntu/+source/texlive-bin/2021.20210626.59705-1ubuntu0.2
>    https://launchpad.net/ubuntu/+source/texlive-bin/2019.20190605.51237-3ubuntu0.2
>
> --
> Philip Taylor
>
> This email, its contents and any attachments are intended solely for the addressee and may contain confidential information. In certain circumstances, it may also be subject to legal privilege. Any unauthorised use, disclosure, or copying is not permitted. If you have received this email in error, please notify us and immediately and permanently delete it. Any views or opinions expressed in personal emails are solely those of the author and do not necessarily represent those of Royal Holloway, University of London. It is your responsibility to ensure that this email and any attachments are virus free.

More information about the tex-live mailing list.