texlive.bin.core-big: fix CVE-2023-32700
This fixes a bug that allowed any document compiled with LuaTeX to execute arbitrary shell commands, even with shell escape disabled. See https://tug.org/~mseven/luatex.html for more details.
This commit is contained in:
parent
26575bdf00
commit
23cf0d4b69
|
@ -202,6 +202,14 @@ core-big = stdenv.mkDerivation { #TODO: upmendex
|
|||
url = "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1009196;filename=reproducible_exception_strings.patch;msg=5";
|
||||
sha256 = "sha256-RNZoEeTcWnrLaltcYrhNIORh42fFdwMzBfxMRWVurbk=";
|
||||
})
|
||||
# fixes a security-issue in luatex that allows arbitrary code execution even with shell-escape disabled, see https://tug.org/~mseven/luatex.html
|
||||
(fetchpatch {
|
||||
name = "CVE-2023-32700.patch";
|
||||
url = "https://tug.org/~mseven/luatex-files/2022/patch";
|
||||
hash = "sha256-o9ENLc1ZIIOMX6MdwpBIgrR/Jdw6tYLmAyzW8i/FUbY=";
|
||||
excludes = [ "build.sh" ];
|
||||
stripLen = 1;
|
||||
})
|
||||
];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
|
Loading…
Reference in a new issue