texlive.bin.core-big: fix CVE-2023-32700

This fixes a bug that allowed any document compiled with LuaTeX to execute arbitrary shell commands, even with shell escape disabled. See https://tug.org/~mseven/luatex.html for more details.
2023-05-20 12:59:47 +02:00 · 2023-05-20 12:59:47 +02:00 · 23cf0d4b69
parent 26575bdf00
commit 23cf0d4b69
1 changed files with 8 additions and 0 deletions
--- a/pkgs/tools/typesetting/tex/texlive/bin.nix
+++ b/pkgs/tools/typesetting/tex/texlive/bin.nix
@ -202,6 +202,14 @@ core-big = stdenv.mkDerivation { #TODO: upmendex
      url = "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1009196;filename=reproducible_exception_strings.patch;msg=5";
      sha256 = "sha256-RNZoEeTcWnrLaltcYrhNIORh42fFdwMzBfxMRWVurbk=";
    })
+    # fixes a security-issue in luatex that allows arbitrary code execution even with shell-escape disabled, see https://tug.org/~mseven/luatex.html
+    (fetchpatch {
+      name = "CVE-2023-32700.patch";
+      url = "https://tug.org/~mseven/luatex-files/2022/patch";
+      hash = "sha256-o9ENLc1ZIIOMX6MdwpBIgrR/Jdw6tYLmAyzW8i/FUbY=";
+      excludes = [  "build.sh" ];
+      stripLen = 1;
+    })
  ];

  hardeningDisable = [ "format" ];