[EXT] Re: Fwd: [USN-6695-1] TeX Live vulnerabilities

Zdenek Wagner zdenek.wagner at gmail.com
Thu Mar 14 21:01:07 CET 2024


It was nothing against you. multipart/mixed with base64 is a standard
and my mail client can handle it thus I was able to see the text.
However, the original mail from Martin Sievers contained two
attachments of strange types. Such mails usually contain malware thus
it is not a good practice to report vulnerabilities that way. I have
deleted that mail because it looked as an attack attempt itself. The
other two mails containing links to the relevant web pages were
useful.

Zdeněk Wagner
https://www.zdenek-wagner.eu/

čt 14. 3. 2024 v 20:44 odesílatel Philip Taylor (RHUoL)
<P.Taylor at rhul.ac.uk> napsal:

>
> Zdenek Wagner wrote:
>
> No, base64 is not a probem. The problem for me is an attachment with
> missing or invalid Content-Type received from a person whom I do not
> know. Opening such attachments is a security risk.
>
> I did not need to open any attachments, Zdeněk — the base-64 content was embedded in the file, and displayed as soon as I read the message.  See below :
>
>
>
>
> -------- Weitergeleitete Nachricht --------
> Betreff: [USN-6695-1] TeX Live vulnerabilities
> Datum: Thu, 14 Mar 2024 09:25:40 -0400
> Von: Marc Deslauriers <marc.deslauriers at canonical.com>
> Antwort an: Ubuntu Security <security at ubuntu.com>
> An: ubuntu-security-announce at lists.ubuntu.com <ubuntu-security-announce at lists.ubuntu.com>
>
> Nachrichtenteil als Anhang
>
> This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
> --------------8fBQZfJjuY37JKHJjlopKb8p
> Content-Type: multipart/mixed; boundary="------------ucMPlTR8knZKIbfSfris3KdB";
>  protected-headers="v1"
> From: Marc Deslauriers <marc.deslauriers at canonical.com>
> Reply-To: Ubuntu Security <security at ubuntu.com>
> To: "ubuntu-security-announce at lists.ubuntu.com"
>  <ubuntu-security-announce at lists.ubuntu.com>
> Message-ID: <2a6317d8-78f2-4900-97fe-1e59a2b78e3a at canonical.com>
> Subject: [USN-6695-1] TeX Live vulnerabilities
>
> --------------ucMPlTR8knZKIbfSfris3KdB
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: base64
>
> PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
> PT09PT09PT09PT09PT09PT09PT0NClVidW50dSBTZWN1cml0eSBOb3RpY2UgVVNOLTY2OTUt
> MQ0KTWFyY2ggMTQsIDIwMjQNCg0KdGV4bGl2ZS1iaW4gdnVsbmVyYWJpbGl0aWVzDQo9PT09
> PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
> PT09PT09PT09PT09PT09PQ0KDQpBIHNlY3VyaXR5IGlzc3VlIGFmZmVjdHMgdGhlc2UgcmVs
> ZWFzZXMgb2YgVWJ1bnR1IGFuZCBpdHMgZGVyaXZhdGl2ZXM6DQoNCi0gVWJ1bnR1IDIzLjEw
> DQotIFVidW50dSAyMi4wNCBMVFMNCi0gVWJ1bnR1IDIwLjA0IExUUw0KDQpTdW1tYXJ5Og0K
> DQpTZXZlcmFsIHNlY3VyaXR5IGlzc3VlcyB3ZXJlIGZpeGVkIGluIFRlWCBMaXZlLg0KDQpT
> b2Z0d2FyZSBEZXNjcmlwdGlvbjoNCi0gdGV4bGl2ZS1iaW46IEJpbmFyaWVzIGZvciBUZVgg
> TGl2ZQ0KDQpEZXRhaWxzOg0KDQpJdCB3YXMgZGlzY292ZXJlZCB0aGF0IFRlWCBMaXZlIGlu
> Y29ycmVjdGx5IGhhbmRsZWQgY2VydGFpbiBtZW1vcnkNCm9wZXJhdGlvbnMgaW4gdGhlIGVt
> YmVkZGVkIGF4b2RyYXcyIHRvb2wuIEFuIGF0dGFja2VyIGNvdWxkIHBvc3NpYmx5IHVzZQ0K
> dGhpcyBpc3N1ZSB0byBjYXVzZSBUZVggTGl2ZSB0byBjcmFzaCwgcmVzdWx0aW5nIGluIGEg
> ZGVuaWFsIG9mIHNlcnZpY2UuDQpUaGlzIGlzc3VlIG9ubHkgYWZmZWN0ZWQgVWJ1bnR1IDIw
> LjA0IExUUy4gKENWRS0yMDE5LTE4NjA0KQ0KDQpJdCB3YXMgZGlzY292ZXJlZCB0aGF0IFRl
> WCBMaXZlIGFsbG93ZWQgZG9jdW1lbnRzIHRvIG1ha2UgYXJiaXRyYXJ5DQpuZXR3b3JrIHJl
> cXVlc3RzLiBJZiBhIHVzZXIgb3IgYXV0b21hdGVkIHN5c3RlbSB3ZXJlIHRyaWNrZWQgaW50
> byBvcGVuaW5nIGENCnNwZWNpYWxseSBjcmFmdGVkIGRvY3VtZW50LCBhIHJlbW90ZSBhdHRh
> Y2tlciBjb3VsZCBwb3NzaWJseSB1c2UgdGhpcyBpc3N1ZQ0KdG8gZXhmaWx0cmF0ZSBzZW5z
> aXRpdmUgaW5mb3JtYXRpb24sIG9yIHBlcmZvcm0gb3RoZXIgbmV0d29yay1yZWxhdGVkDQph
> dHRhY2tzLiBUaGlzIGlzc3VlIG9ubHkgYWZmZWN0ZWQgVWJ1bnR1IDIwLjA0IExUUywgYW5k
> IFVidW50dSAyMi4wNCBMVFMuDQooQ1ZFLTIwMjMtMzI2NjgpDQoNCkl0IHdhcyBkaXNjb3Zl
> cmVkIHRoYXQgVGVYIExpdmUgaW5jb3JyZWN0bHkgaGFuZGxlZCBjZXJ0YWluIFRydWVUeXBl
> IGZvbnRzLg0KSWYgYSB1c2VyIG9yIGF1dG9tYXRlZCBzeXN0ZW0gd2VyZSB0cmlja2VkIGlu
> dG8gb3BlbmluZyBhIHNwZWNpYWxseSBjcmFmdGVkDQpUcnVlVHlwZSBmb250LCBhIHJlbW90
> ZSBhdHRhY2tlciBjb3VsZCB1c2UgdGhpcyBpc3N1ZSB0byBjYXVzZSBUZVggTGl2ZSB0bw0K
> Y3Jhc2gsIHJlc3VsdGluZyBpbiBhIGRlbmlhbCBvZiBzZXJ2aWNlLCBvciBwb3NzaWJseSBl
> eGVjdXRlIGFyYml0cmFyeQ0KY29kZS4gKENWRS0yMDI0LTI1MjYyKQ0KDQpVcGRhdGUgaW5z
> dHJ1Y3Rpb25zOg0KDQpUaGUgcHJvYmxlbSBjYW4gYmUgY29ycmVjdGVkIGJ5IHVwZGF0aW5n
> IHlvdXIgc3lzdGVtIHRvIHRoZSBmb2xsb3dpbmcNCnBhY2thZ2UgdmVyc2lvbnM6DQoNClVi
> dW50dSAyMy4xMDoNCiAgIHRleGxpdmUtYmluYXJpZXMgICAgICAgICAgICAgICAgMjAyMy4y
> MDIzMDMxMS42NjU4OS02dWJ1bnR1MC4xDQogICB0ZXhsaXZlLWJpbmFyaWVzLXNzZTIgICAg
> ICAgICAgIDIwMjMuMjAyMzAzMTEuNjY1ODktNnVidW50dTAuMQ0KDQpVYnVudHUgMjIuMDQg
> TFRTOg0KICAgdGV4bGl2ZS1iaW5hcmllcyAgICAgICAgICAgICAgICAyMDIxLjIwMjEwNjI2
> LjU5NzA1LTF1YnVudHUwLjINCg0KVWJ1bnR1IDIwLjA0IExUUzoNCiAgIHRleGxpdmUtYmlu
> YXJpZXMgICAgICAgICAgICAgICAgMjAxOS4yMDE5MDYwNS41MTIzNy0zdWJ1bnR1MC4yDQoN
> CkluIGdlbmVyYWwsIGEgc3RhbmRhcmQgc3lzdGVtIHVwZGF0ZSB3aWxsIG1ha2UgYWxsIHRo
> ZSBuZWNlc3NhcnkgY2hhbmdlcy4NCg0KUmVmZXJlbmNlczoNCiAgIGh0dHBzOi8vdWJ1bnR1
> LmNvbS9zZWN1cml0eS9ub3RpY2VzL1VTTi02Njk1LTENCiAgIENWRS0yMDE5LTE4NjA0LCBD
> VkUtMjAyMy0zMjY2OCwgQ1ZFLTIwMjQtMjUyNjINCg0KUGFja2FnZSBJbmZvcm1hdGlvbjoN
> CiAgIGh0dHBzOi8vbGF1bmNocGFkLm5ldC91YnVudHUvK3NvdXJjZS90ZXhsaXZlLWJpbi8y
> MDIzLjIwMjMwMzExLjY2NTg5LTZ1YnVudHUwLjENCiAgIGh0dHBzOi8vbGF1bmNocGFkLm5l
> dC91YnVudHUvK3NvdXJjZS90ZXhsaXZlLWJpbi8yMDIxLjIwMjEwNjI2LjU5NzA1LTF1YnVu
> dHUwLjINCiAgIGh0dHBzOi8vbGF1bmNocGFkLm5ldC91YnVudHUvK3NvdXJjZS90ZXhsaXZl
> LWJpbi8yMDE5LjIwMTkwNjA1LjUxMjM3LTN1YnVudHUwLjINCg0K
>
> --------------ucMPlTR8knZKIbfSfris3KdB--
>
> --------------8fBQZfJjuY37JKHJjlopKb8p
> Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="OpenPGP_signature.asc"
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXy+tQACgkQZWnYVadE
> vpO3/BAAkxob4D+Y99ZFrgVMMeCrTcCeNVBgkCtt4PfykDgHqTaHW7v9JhFDp60C
> WStzO1GmHDR431E83anRVxDGDcApy5ZvhNSPPAqxF9hEfbIvCtoTInU3aZF8f+u7
> a0mA/IYH7hOwYHvwP7dZiPK8ygCI9S0N0jhv/QA4K7beh8029RB64aNQe9zxHWey
> +bfuuToHsZn3FELCysoNA24o46p6e9FvspAcpGw97dkhEzLPCA9ntCD3Js2rTVS+
> l9jWm5XG9/S44o/lbuk6GYXruE3L+mLhzPurtb0L0N3jykdmS/dluca1gO7LQKQi
> oK+AquS6geeWu40tQGMPVex5I1HqqLoBVz/q6XFS6SZxiXKEKNA0Xk9BkcGPzuFV
> vhl6p92LNXapJHFbg2bkU6+R8B0Zl35UEQzChHxsCUtWy1F6j736SsGyEEygR4KU
> 51YVpfZhmca+Xyhe+8/q5x86ZiGNyi3H5QCuZ/a9640QhzgMVzckcnhCgNMsnyr+
> EEPHTpgSiFej07xc+FIQ09U7PzgZOUq06DWig08s6B8LPMZeRv+w+yh9eW8A4QAv
> o8yxo+WnSGVuYsoqm4RD/ak4iDOqJjBMckENTy8s61LMYYxT+TCuUbRiVBajyGxx
> hDUcyw1aM1I6puYorVL102c2qXIxv+1KVEiiKG1MGogvGLZgyN8=
> =KdQc
> -----END PGP SIGNATURE-----
>
> --------------8fBQZfJjuY37JKHJjlopKb8p--
>
>
>
> Nachrichtenteil als Anhang
>
>
> --
> Philip Taylor
>
> This email, its contents and any attachments are intended solely for the addressee and may contain confidential information. In certain circumstances, it may also be subject to legal privilege. Any unauthorised use, disclosure, or copying is not permitted. If you have received this email in error, please notify us and immediately and permanently delete it. Any views or opinions expressed in personal emails are solely those of the author and do not necessarily represent those of Royal Holloway, University of London. It is your responsibility to ensure that this email and any attachments are virus free.



More information about the tex-live mailing list.