Advisories » MGASA-2024-0108

Updated texlive-20220321 packages fix security vulnerabilities

Publication date: 05 Apr 2024
Modification date: 05 Apr 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-25262 , CVE-2023-32668

Description

LuaTeX before 1.17.0 allows a document (compiled with the default
settings) to make arbitrary network requests. This occurs because full
access to the socket library is permitted by default, as stated in the
documentation. This also affects TeX Live before 2023 r66984 and MiKTeX
before 23.5. (CVE-2023-32668)
texlive-bin commit c515e was discovered to contain heap buffer overflow
via the function ttfLoadHDMX:ttfdump. This vulnerability allows
attackers to cause a Denial of Service (DoS) via supplying a crafted TTF
file. (CVE-2024-25262)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32971
• https://ubuntu.com/security/notices/USN-6695-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25262
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32668

SRPMS

9/core

• texlive-20220321-7.1.mga9