Resolves: #2209873, CVE-2023-32700

2023-05-26 15:40:33 +02:00 · 2023-05-26 15:40:33 +02:00 · a5b86d9e5c
parent 8b68f77db7
commit a5b86d9e5c
3 changed files with 1412 additions and 16 deletions
--- a/.texlive.metadata
+++ b/.texlive.metadata
@ -0,0 +1,83 @@
+25f146461f3d233c9838df6488d74967592d4074 ae.doc.tar.xz
+a59441c0decf2db6c1be5d84caa79dd09ec0ae34 ae.tar.xz
+3128e21c9d5a874eee632a4578fe93caa44398f7 algorithms.doc.tar.xz
+d57eb25595e18c911369113245a3251f1bf47150 algorithms.tar.xz
+a91124196d44d4987b6f600e3c14e75ca537905f alphalph.doc.tar.xz
+95fdbd2dd9da52724a20b9662c25a030c62bccbc alphalph.tar.xz
+15a12cd66dc3cbb279437018fe778c7ecd120815 amscls.doc.tar.xz
+78e5d82619f1d913bd4bcdac6dc1516f49431a98 amscls.tar.xz
+8997370e69ad3d736611f766cf26e71dc2c9084b amsfonts.doc.tar.xz
+a1076f563d3b320de7bd96f337e96bfba629b4d6 amsfonts.tar.xz
+1e1ad516b6d5b9e00f027687d16bbfee28caa7b0 anyfontsize.doc.tar.xz
+631f40de4433faba19f7a3365808c309c7ad1d2d anyfontsize.tar.xz
+762d10afa7f9860b1b3d8fe06ad361a307820a16 anysize.doc.tar.xz
+ae9ad99c08ff0351e515559f824061fe7444291c anysize.tar.xz
+b700271b36d4459cfa9490a2abeb77a2afd2fea3 appendix.doc.tar.xz
+0b36d5bc604a436216013d6fd4e158779d8aa9d3 appendix.tar.xz
+dc11bdc275cb3f464e5143d9a0fa0ba911140393 arabxetex.doc.tar.xz
+64c6baa95f013ef7e39467e92329aa42435c047b arabxetex.tar.xz
+8176d41acb7a3dfc608561600331a967fa722b00 arphic.doc.tar.xz
+5f843737184647289f934c273ce63924e883002f arphic.tar.xz
+1c108cec1d405fd930e53d7395570653cbed934f atbegshi.doc.tar.xz
+e00ab11fe52fb22859ab305b673e4d55312a98d0 atbegshi.tar.xz
+9abfc60ebc72f462db4f1ae585b7d7fafa98c2a4 attachfile.doc.tar.xz
+94fd3db897d1b38be41070bfaf29179293bda0eb attachfile.tar.xz
+f66fb02397bbb0b78d513dd039ab578b4d652717 atveryend.doc.tar.xz
+5fb65e4cb5d96218c335e5b7a36fe4b54093ab8c atveryend.tar.xz
+55ca341a1fd8029f3152697c4b46837b3cae7310 auxhook.doc.tar.xz
+bc4fa79049a4800806dc32173ef3ded8b6dbe72b auxhook.tar.xz
+ddd3bc0004b0a09a2302a1b5c81d2e6e66dc914b avantgar.tar.xz
+2202d1d7ce89eeff798afd3bccd036e74daf1443 babel-english.doc.tar.xz
+abc20554c7af505405f1f7d46f168696174f7618 babel-english.tar.xz
+ce37ffc6ad2b1e2929bd0ec409b2fa9e8eeba67f bera.doc.tar.xz
+0001a6458d0ea2a911e44098baf34b6a290704a3 bera.tar.xz
+d691ea07fe4b42d752ac231f351de450a2ed5ef9 beton.doc.tar.xz
+c136dfc2c0ead11abdaeec6710b163f56829f204 beton.tar.xz
+b01f5a228e8fb153477e2b393744647ccc1fcea7 bibtopic.doc.tar.xz
+8bf20142876310d00b4d9154c79f396dd5239873 bibtopic.tar.xz
+8bc2966eca1a4a2dfd8843967a3ce25753a0b5f8 bidi.doc.tar.xz
+412cab6489e86cd1101a2b46a109a6448b4c8670 bidi.tar.xz
+8db97a54a2afd4c9667c4ba80b6ce2b304312398 bigfoot.doc.tar.xz
+bdf31628be7b3c8ad139296560dd7a267dc3d131 bigfoot.tar.xz
+12e5e38dd041189df8b11e87d6f390ca804dbcde bigintcalc.doc.tar.xz
+b9a5cb176ec36bd4cc572bc37a3fc896c0705600 bigintcalc.tar.xz
+7ef411390038380b4ca94a4f097a1c74e079bbac bitset.doc.tar.xz
+597b5d0a77044aa51104b10b5cefe3efb876530d bitset.tar.xz
+1794aea8471f74ba54d94a433d7a87986e43de0e bookman.tar.xz
+5a1d330a18f0fe2a847020c280468f821876af81 bookmark.doc.tar.xz
+c4cf1d8cc1572cee1e8bee8e4d343a91e0264233 bookmark.tar.xz
+127faad7c20a2ec8f1163da228eea3d7b0db9bbe booktabs.doc.tar.xz
+dff6eb651567e3313d6d453fcb99db280599c13f booktabs.tar.xz
+da81e8c335b69f6b3ec71ab3a787fadcce4479ea breakurl.doc.tar.xz
+b49d9c42b69d3066e128abbd0d9abfd6b4fa7cc0 breakurl.tar.xz
+b6997e6754befd7d5e37741d9dcc1f79c00747c0 capt-of.doc.tar.xz
+5efb934cec44b3ce31e2c1b3e78fd1893f7998b0 capt-of.tar.xz
+76e1b03a6b79219782d0b8b2e3a6963f11f7dbc2 catchfile.doc.tar.xz
+053986ea9704a6383eda08017bab15026cd15239 catchfile.tar.xz
+9a2370bed8542508969fead8741cb5aaebb2d843 changebar.doc.tar.xz
+3e41b1db6bbbc9118edd93f2def3456988c771bb changebar.tar.xz
+7601d08833a05aac191a9f541c3599fbf0d16cdf changepage.doc.tar.xz
+595e5bddb6702a42eb5fa78d7ce4243ac72ef7d4 changepage.tar.xz
+83e712c8eff309798e2edb378f06aabb1aa0d85a charter.doc.tar.xz
+14eb884e0b45c2d91cfb1fbee592c8a71469bef4 charter.tar.xz
+8b773d34749bfb2b5d3aa955376d71137de9a985 chngcntr.doc.tar.xz
+834015df9eaac97dbce6b02707cbf1aa7828ffc7 chngcntr.tar.xz
+aba2db6ae2d8f177228f1d9118acb48563c879ad cite.doc.tar.xz
+6245a4636b2cde4c0de716d81536382b48739c69 cite.tar.xz
+70f7b2c8d7d6e2d949108387006cb9716301a9f7 cjk.doc.tar.xz
+f606ee1bf19953a1edf9757ad66735e98799777e cjk.tar.xz
+532bcd248710af62d4d2f26750360f7cbb0f9af0 classpack.doc.tar.xz
+f2e1c875b84e2da0be56376facf3edd92c776b65 classpack.tar.xz
+12aa1923110e4e123d321d661a39621f07c11755 cm.doc.tar.xz
+0bb158b366f8e6e3807cc5aa655357fd754d96aa cm-lgc.doc.tar.xz
+4efd5753d038881237aecc0ab0a364fe36bc5a7c cm-lgc.tar.xz
+3a16912bf093990fd333647ae7808dd7dbebec59 cm-super.doc.tar.xz
+7de3d3a8b362e37e535e7b9b00c3bf4c942618e9 cm-super.tar.xz
+8a186f25bdaf7107f60031c0ec440dd710e8d841 cm.tar.xz
+f618a11e59e89bc31237b584201dd135010704eb cns.doc.tar.xz
+a84de969df85944a1e7f74f5a9b0ff8b1f9bb8bc cns.tar.xz
+67260929b9c2e601eebe239028919701d8c108ef collection-fontsrecommended.tar.xz
+fdafcd677999f37036b644b4cd9a9966fb1189db colorprofiles.doc.tar.xz
+6a13064d9ec18421e590c6f73aafb141fb093a41 colorprofiles.tar.xz
+419846973f8d6abec06d93b1087aa152fae07cef colortbl.doc.tar.xz
+af2a431a54341ded2a17b6636e095280b597c5ba colortbl.tar.xz
--- a/texlive-2022-luatex-CVE-2023-32700.patch
+++ b/texlive-2022-luatex-CVE-2023-32700.patch
--- a/texlive.spec
+++ b/texlive.spec
@ -24,7 +24,7 @@

 Name: texlive
 Version: %{source_date}
-Release: 25%{?dist}
+Release: 26%{?dist}
 Epoch: %{tl_epoch}
 Summary: TeX formatting system
 Group: Applications/Publishing
@ -835,6 +835,9 @@ Patch101: etex-addlanguage-fix-bz1215257.patch
 Patch108: texlive-2017-xepersian-python.patch
 Patch109: texlive-2019-py3-and-pep8.patch
 Patch110: tabu-update-to-git-930bc77.patch
+# upstream
+# LuaTeX Security Vulnerabilities, CVE-2023-32700
+Patch200: texlive-2022-luatex-CVE-2023-32700.patch

 %description
 The TeX Live software distribution offers a complete TeX system for a
@ -24308,28 +24311,29 @@ Philipp Lehmann's etoolbox.
 %setup -q -c -T
 xz -dc %{SOURCE0} | tar x
 [ -e %{source_name} ] && mv %{source_name} source
-%patch1 -p0
-%patch2 -p1 -b .format
-%patch5 -p0
+%patch -P1 -p0
+%patch -P2 -p1 -b .format
+%patch -P5 -p0
 %if 0%{?fedora} || 0%{?rhel} >= 8
-%patch7 -p1 -b .newpoppler
+%patch -P7 -p1 -b .newpoppler
 %endif
-%patch8 -p1 -b .texinfo-fix
-%patch11 -p1 -b .dt
-%patch15 -p1 -b .disabletest
-%patch17 -p1 -b .annocheck
+%patch -P8 -p1 -b .texinfo-fix
+%patch -P11 -p1 -b .dt
+%patch -P15 -p1 -b .disabletest
+%patch -P17 -p1 -b .annocheck
 %if 0%{?fedora} || 0%{?rhel} >= 8
-%patch18 -p1 -b .poppler-0.73
+%patch -P18 -p1 -b .poppler-0.73
 %endif
-%patch19 -p1 -b .shh
-%patch20 -p1 -b .fix-libgs-detection
+%patch -P19 -p1 -b .shh
+%patch -P20 -p1 -b .fix-libgs-detection
 %if 0%{?fedora} || 0%{?rhel} >= 8
-%patch23 -p1 -b .poppler-0.84
+%patch -P23 -p1 -b .poppler-0.84
 %endif
-%patch28 -p1 -b .CVE-2019-19601
+%patch -P28 -p1 -b .CVE-2019-19601
 %if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
-%patch29 -p1 -b .poppler090
+%patch -P29 -p1 -b .poppler090
 %endif
+%patch -P200 -p1

 # Setup copies of the licenses
 for l in `unxz -c %{SOURCE2} | tar t`; do
@ -28241,7 +28245,7 @@ done <<< "$list"
 %license lppl1.3.txt
 %{_texdir}/texmf-dist/tex/latex/minitoc/
 # drop minitoc/minitoc.dtx due to bad license
-#doc %{_texdir}/texmf-dist/doc/latex/minitoc/
+# %%doc %%{_texdir}/texmf-dist/doc/latex/minitoc/

 %files notoccite
 %license pd.txt
@ -28395,6 +28399,9 @@ done <<< "$list"
 %{_texdir}/texmf-dist/doc/latex/xpatch/

 %changelog
+* Fri May 26 2023 Than Ngo <than@redhat.com> - 9:20200406-26
+- Resolves: #2209873, CVE-2023-32700
+
 * Mon Feb 14 2022 Than Ngo <than@redhat.com> - 9:20200406-25
 - Resolves: #2031879, fix invalid symlink to mktexmf