Discussion:
Processed: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u2
(too old to reply)
Debian Bug Tracking System
2024-10-18 21:20:01 UTC
Permalink
affects -1 + src:texlive-bin
Bug #1085395 [release.debian.org] bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u2
Added indication that 1085395 affects src:texlive-bin
--
1085395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085395
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2024-10-19 13:30:02 UTC
Permalink
tag -1 moreinfo
Bug #1085395 [release.debian.org] bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u2
Added tag(s) moreinfo.
--
1085395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085395
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2024-10-19 13:30:02 UTC
Permalink
Control: tag -1 moreinfo

Hi,
diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog
--- texlive-bin-2022.20220321.62855/debian/changelog 2023-06-27 22:07:12.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/changelog 2024-10-11 22:47:45.000000000 +0200
@@ -1,3 +1,11 @@
+texlive-bin (2022.20220321.62855-5.1+deb12u2) bookworm; urgency=medium
+
+ * Add patches from upstream for "luatex loses or changes text when
+ discretionaries with priorities are used" (Closes: #1041441).
Is that bug metadata wrong, or is the bug unfixed in unstable? That's a
pre-requisite.
+ * Add patch for CVE-2024-25262.
If you end up needing to do a revised upload for any reason, please expand
this description of what the CVE actually is.
+diff --git a/source/texk/web2c/luatexdir/lang/texlang.c b/source/texk/web2c/luatexdir/lang/texlang.c
+index f9e53bbba..a0d067251 100644
+--- a/texk/web2c/luatexdir/lang/texlang.c
++++ b/texk/web2c/luatexdir/lang/texlang.c
+ /*tex check if we have two exceptions in a row */
+ if (uword[i + 1] == '{') {
+ i--;
++t = alink(t);
+ }
+ } else {
+ t = vlink(t);
Is this indented as you intended?

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Salvatore Bonaccorso
2024-10-26 19:00:02 UTC
Permalink
Hi Jonathan,
Post by Jonathan Wiltshire
Control: tag -1 moreinfo
Hi,
diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog
--- texlive-bin-2022.20220321.62855/debian/changelog 2023-06-27 22:07:12.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/changelog 2024-10-11 22:47:45.000000000 +0200
@@ -1,3 +1,11 @@
+texlive-bin (2022.20220321.62855-5.1+deb12u2) bookworm; urgency=medium
+
+ * Add patches from upstream for "luatex loses or changes text when
+ discretionaries with priorities are used" (Closes: #1041441).
Is that bug metadata wrong, or is the bug unfixed in unstable? That's a
pre-requisite.
Note I'm just a bystander here, but intersted to see this update
happening as it includes a CVE fix as well.

I believe the above is a consequence of
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041441#77 .

Hilmar, note that would not be needed, the BTS can track fixes in
various versions. So instread of cloning the bug and reopen the clone
to track the bookworm update, you could simply continue as well fixing
#1018206 itself for bookworm.

I closed now #1041441 with the same version of #1018206 and removing
here the moreinfo tag, so Jonathan might accept the upload for the
next point release.

Or ... actually not removing the moreinfo tag as there is one question
open for you.

Regards,
Salvatore
Hilmar Preusse
2024-11-04 22:50:01 UTC
Permalink
Control: tag -1 - moreinfo
Hello Jonathan,

Thanks for response!
Post by Jonathan Wiltshire
diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog
--- texlive-bin-2022.20220321.62855/debian/changelog 2023-06-27 22:07:12.000000000 +0200
+++ texlive-bin-2022.20220321.62855/debian/changelog 2024-10-11 22:47:45.000000000 +0200
@@ -1,3 +1,11 @@
+texlive-bin (2022.20220321.62855-5.1+deb12u2) bookworm; urgency=medium
+
+ * Add patches from upstream for "luatex loses or changes text when
+ discretionaries with priorities are used" (Closes: #1041441).
Is that bug metadata wrong, or is the bug unfixed in unstable? That's a
pre-requisite.
The bug is fixed in unstable. That #1041441 is just a clone of the
original bug: #1018206, which has been solved in 2023.20230311.66589-1.
Post by Jonathan Wiltshire
+ * Add patch for CVE-2024-25262.
If you end up needing to do a revised upload for any reason, please expand
this description of what the CVE actually is.
I would copy the "description" from [1] into the patch. Would this be
OK?
Post by Jonathan Wiltshire
+diff --git a/source/texk/web2c/luatexdir/lang/texlang.c b/source/texk/web2c/luatexdir/lang/texlang.c
+index f9e53bbba..a0d067251 100644
+--- a/texk/web2c/luatexdir/lang/texlang.c
++++ b/texk/web2c/luatexdir/lang/texlang.c
+ /*tex check if we have two exceptions in a row */
+ if (uword[i + 1] == '{') {
+ i--;
++t = alink(t);
+ }
+ } else {
+ t = vlink(t);
Is this indented as you intended?
This is how it has been done by upstream, see [2] line 705.

Hilmar

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-25262
[2] https://github.com/TeX-Live/texlive-source/blob/trunk/texk/web2c/luatexdir/lang/texlang.c
Debian Bug Tracking System
2024-11-04 22:50:01 UTC
Permalink
tag -1 - moreinfo
Bug #1085395 [release.debian.org] bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u2
Removed tag(s) moreinfo.
--
1085395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085395
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2024-11-15 16:40:02 UTC
Permalink
package release.debian.org
tags 1085395 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: texlive-bin
Version: 2022.20220321.62855-5.1+deb12u2

Explanation: fix data loss when using discretionaries with priorities; fix heap buffer overflow [CVE-2024-25262]
Debian Bug Tracking System
2025-01-11 11:10:03 UTC
Permalink
Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <E1tWZGn-009jcC-***@coccia.debian.org>
and subject line Close 1085395
has caused the Debian Bug report #1085395,
regarding bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1085395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085395
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...