[tlbuild] Security: Lua update and rebuild required
Karl Berry
karl at freefriends.org
Fri Aug 7 00:57:56 CEST 2020
Hi Henri,
(Reducing to tlbuild + Luigi; luatex list is too big for this.)
recently several CVEs for Lua (all versions up to 5.4.0) have been
published:
How unfortunate, but thanks for the report.
I trust Luigi will install the fixes in the sources, which is what has
to happen first.
Since users of LuaTeX are running potentially untrusted code and all
of these vulnerabilities are rated with severity high or critical, I
believe it is necessary to rebuild all affected LuaTeX version,
I don't agree. The reality is that LuaTeX has been completely insecure
until, perhaps, this year's release. Even with the current release,
running "untrusted code" is always a risk. Installing the fixes for
those CVEs is not going to change that.
ideally including those in frozen TeX Live releases.
Seems completely infeasible to me, sorry to say. We have never rebuilt
binaries for anything but the current release before, and I can't see
starting now. Anyone who wants such after-the-release fixes has always
had to update from the after-the-release repository. Certainly not
ideal, but that is the reality.
This is particularly important because there already exist exploits
for all of these vulnerabilites
Even more unfortunate.
I await Luigi's input. If he feels we should, we could at least rebuild
the luatex binaries for the current release. --thanks, karl.
More information about the tlbuild
mailing list.