[tlbuild] Security: Lua update and rebuild required
luigi scarso
luigi.scarso at gmail.com
Sun Oct 4 21:41:40 CEST 2020
On Fri, Aug 7, 2020 at 12:57 AM Karl Berry <karl at freefriends.org> wrote:
> Hi Henri,
>
> (Reducing to tlbuild + Luigi; luatex list is too big for this.)
>
> recently several CVEs for Lua (all versions up to 5.4.0) have been
> published:
>
> How unfortunate, but thanks for the report.
>
> I trust Luigi will install the fixes in the sources, which is what has
> to happen first.
>
> Since users of LuaTeX are running potentially untrusted code and all
> of these vulnerabilities are rated with severity high or critical, I
> believe it is necessary to rebuild all affected LuaTeX version,
>
> I don't agree. The reality is that LuaTeX has been completely insecure
> until, perhaps, this year's release. Even with the current release,
> running "untrusted code" is always a risk. Installing the fixes for
> those CVEs is not going to change that.
>
> ideally including those in frozen TeX Live releases.
>
> Seems completely infeasible to me, sorry to say. We have never rebuilt
> binaries for anything but the current release before, and I can't see
> starting now. Anyone who wants such after-the-release fixes has always
> had to update from the after-the-release repository. Certainly not
> ideal, but that is the reality.
>
> This is particularly important because there already exist exploits
> for all of these vulnerabilites
>
> Even more unfortunate.
>
> I await Luigi's input. If he feels we should, we could at least rebuild
> the luatex binaries for the current release. --thanks, karl.
>
We have now Lua 5.3.6, but it seems that the security patches are for lua
5.4 only.
--
luigi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tlbuild/attachments/20201004/86bc7606/attachment.html>
More information about the tlbuild
mailing list.