tectonic icon indicating copy to clipboard operation
tectonic copied to clipboard

Published 20 hours ago verified publisher icon tectonic-typesetting

CVE-2022-31394

Open uncomfyhalomacro opened this issue 1 year ago • 3 comments

Source: https://bugzilla.opensuse.org/show_bug.cgi?id=1208561 Related bugzilla report: https://bugzilla.opensuse.org/show_bug.cgi?id=1208551

uncomfyhalomacro avatar Mar 06 '23 10:03 uncomfyhalomacro

Thanks for mentioning this.

I am not sure if this issue affects Tectonic in practice. We only use hyper as a server in the test suite, where the version requirement in the toplevel Cargo.toml is only for version 0.12 (which still lacks this HTTP/2 max_header_list_size parameter).

We use hyper as a client in the main program through the reqwest library; the current version in the lockfile is 0.14.23, which contains the new API associated with this report. I don't know if reqwest does anything with this API. Based on the discussion in https://github.com/hyperium/hyper/issues/2826, it sounds as if Tectonic's current behavior should not pose any problems.

That being said, it would not hurt to update the hyper dependency in the test suite to stay in sync with newer versions and potentially avoid some automated security reports.

pkgw avatar Mar 06 '23 13:03 pkgw

I agree that it's just the crate and not tectonic. I opened this for compliance and to help remove the bug report in bugzilla.

Thanks for the response though!

uncomfyhalomacro avatar Mar 11 '23 16:03 uncomfyhalomacro

Well, I want to make sure that we are on top of any security concerns even if they're formalities. Please let me know if we can take any steps to keep things tidy here.

pkgw avatar Mar 13 '23 13:03 pkgw