Commit 23cf0d4b authored by apfelkuchen06's avatar apfelkuchen06
Browse files

texlive.bin.core-big: fix CVE-2023-32700 

This fixes a bug that allowed any document compiled with LuaTeX to execute
arbitrary shell commands, even with shell escape disabled.

See https://tug.org/~mseven/luatex.html for more details.
parent 26575bdf

pkgs/tools/typesetting/tex/texlive/bin.nix

+8 −0
Original line number Diff line number Diff line
@@ -202,6 +202,14 @@ core-big = stdenv.mkDerivation { #TODO: upmendex 
      url = "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1009196;filename=reproducible_exception_strings.patch;msg=5";

      sha256 = "sha256-RNZoEeTcWnrLaltcYrhNIORh42fFdwMzBfxMRWVurbk=";

    })

    # fixes a security-issue in luatex that allows arbitrary code execution even with shell-escape disabled, see https://tug.org/~mseven/luatex.html

    (fetchpatch {

      name = "CVE-2023-32700.patch";

      url = "https://tug.org/~mseven/luatex-files/2022/patch";

      hash = "sha256-o9ENLc1ZIIOMX6MdwpBIgrR/Jdw6tYLmAyzW8i/FUbY=";

      excludes = [  "build.sh" ];

      stripLen = 1;

    })

  ];



  hardeningDisable = [ "format" ];