tinytex-releases icon indicating copy to clipboard operation
tinytex-releases copied to clipboard

Published 20 hours ago verified publisher icon rstudio

Security Vulnerabilities detected!!

Open AKhares opened this issue 2 years ago • 3 comments

Hi Team,

In our recent vulnerability scans we observed multiple vulnerabilities. Usage: RUN PACKAGES="wget perl-switch" \
&& apk --no-cache add tzdata
&& wget -qO-
"https://yihui.org/tinytex/install-bin-unix.sh" |
sh -s - --admin --no-path
&& mv ~/.TinyTeX /opt/TinyTeX
&& /opt/TinyTeX/bin/*/tlmgr path add
&& tlmgr path add
&& chown -R root:adm /opt/TinyTeX
&& chmod -R g+w /opt/TinyTeX
&& chmod -R g+wx /opt/TinyTeX/bin
&& tlmgr install epstopdf-pkg \

Vulnerabilities List: libpng | 1.6.37 | sourceforge | libpng/v1.6.37 | v1.6.37 | BDSA-2019-5322 lua | 5.3.6 | unknown |   | v5.3.6 | CVE-2020-15888 (BDSA-2020-1807) lua | 5.3.6 | unknown |   | v5.3.6 | CVE-2020-15945 (BDSA-2020-1850) lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2058 lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2093 lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2094 lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2099 lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2021-3384 lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-0057 lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-0976 lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-1825 lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | CVE-2019-17543 (BDSA-2019-3383) lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | CVE-2021-3520 (BDSA-2021-1549) The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27404 (BDSA-2022-1122) The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27405 (BDSA-2022-1123) The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27406 (BDSA-2022-1124) The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | BDSA-2022-1494 Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | CVE-2019-5953 (BDSA-2019-0984) Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | CVE-2021-31879 (BDSA-2021-1176) Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2019-4611 Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2020-2283 Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-30860 Xpdf | 4.03 | unknown |   | 4.03 | CVE-2022-27135 Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2022-1301 Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-27548 Xpdf | 4.03 | unknown |   | 4.03 | CVE-2022-38334 Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2022-3104 Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-36493 XZ Utils | 5.2.4 | unknown |   | 5.2.4 | BDSA-2022-0958 zlib | 1.2.11 | unknown |   | 1.2.11 | CVE-2018-25032 (BDSA-2018-5271) zlib | 1.2.11 | unknown |   | 1.2.11 | CVE-2022-37434 (BDSA-2022-2183)

I see that the packages are installed using - https://tinytex.yihui.org/pkgs-custom.txt Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt? If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.

Regards, Amber Khare

AKhares avatar Feb 16 '23 11:02 AKhares

Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt? If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.

We do install the very latest versions in the daily release: https://github.com/rstudio/tinytex-releases/releases/tag/daily The installation script https://yihui.org/tinytex/install-bin-unix.sh installs the daily version by default. So I'm not sure why you still got the problems.

Thanks for the report anyway!

yihui avatar Feb 17 '23 15:02 yihui

Thanks for the reply! Actually we are using reporter plugin - https://github.com/IzakMarais/reporter, which has the script as mentioned in the issue details: RUN PACKAGES="wget libswitch-perl"
&& apk update
&& apk add $PACKAGES
&& apk add ca-certificates
&& wget -qO-
"https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh" |
sh -s - --admin --no-path
&& mv ~/.TinyTeX /opt/TinyTeX
&& /opt/TinyTeX/bin//tlmgr path add
&& tlmgr path add
&& chown -R root:adm /opt/TinyTeX
&& chmod -R g+w /opt/TinyTeX
&& chmod -R g+wx /opt/TinyTeX/bin
&& tlmgr install epstopdf-pkg
# Cleanup && apk del --purge -qq $PACKAGES
&& apk del --purge -qq
&& rm -rf /var/lib/apt/lists/

So its using https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh and not https://yihui.org/tinytex/install-bin-unix.sh. As this is transitive to us we are not able to do any changes. Can you make the similar changes to https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh, so that it also start installing the daily version by default?

Appreciate the help.

Regards, Amber Khare

AKhares avatar Feb 19 '23 19:02 AKhares

Sorry, I still don't understand. Both install-unx.sh and install-bin-unix.sh install the daily version. The only difference is that the former installs the daily version from source, and the latter installs the pre-built binary daily version.

yihui avatar Mar 06 '23 18:03 yihui