USN-6695-1: TeX Live vulnerabilities

Releases

• Ubuntu 23.10
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS

Packages

• texlive-bin - Binaries for TeX Live

Details

It was discovered that TeX Live incorrectly handled certain memory
operations in the embedded axodraw2 tool. An attacker could possibly use
this issue to cause TeX Live to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS. (CVE-2019-18604)

It was discovered that TeX Live allowed documents to make arbitrary
network requests. If a user or automated system were tricked into opening a
specially crafted document, a remote attacker could possibly use this issue
to exfiltrate sensitive information, or perform other network-related
attacks. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2023-32668)

It was discovered that TeX Live incorrectly handled certain TrueType fonts.
If a user or automated system were tricked into opening a specially crafted
TrueType font, a remote attacker could use this issue to cause TeX Live to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2024-25262)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.10

• texlive-binaries - 2023.20230311.66589-6ubuntu0.1
• texlive-binaries-sse2 - 2023.20230311.66589-6ubuntu0.1

Ubuntu 22.04

• texlive-binaries - 2021.20210626.59705-1ubuntu0.2

Ubuntu 20.04

• texlive-binaries - 2019.20190605.51237-3ubuntu0.2

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-25262
• CVE-2019-18604
• CVE-2023-32668