Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerabilities detected!! #34

Open
AKhares opened this issue Feb 16, 2023 · 3 comments
Open

Security Vulnerabilities detected!! #34

AKhares opened this issue Feb 16, 2023 · 3 comments

Comments

@AKhares
Copy link

AKhares commented Feb 16, 2023

Hi Team,

In our recent vulnerability scans we observed multiple vulnerabilities.
Usage:
RUN PACKAGES="wget perl-switch" \
&& apk --no-cache add tzdata
&& wget -qO-
"https://yihui.org/tinytex/install-bin-unix.sh" |
sh -s - --admin --no-path
&& mv ~/.TinyTeX /opt/TinyTeX
&& /opt/TinyTeX/bin/*/tlmgr path add
&& tlmgr path add
&& chown -R root:adm /opt/TinyTeX
&& chmod -R g+w /opt/TinyTeX
&& chmod -R g+wx /opt/TinyTeX/bin
&& tlmgr install epstopdf-pkg \

Vulnerabilities List:
libpng | 1.6.37 | sourceforge | libpng/v1.6.37 | v1.6.37 | BDSA-2019-5322
lua | 5.3.6 | unknown |   | v5.3.6 | CVE-2020-15888 (BDSA-2020-1807)
lua | 5.3.6 | unknown |   | v5.3.6 | CVE-2020-15945 (BDSA-2020-1850)
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2058
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2093
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2094
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2099
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2021-3384
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-0057
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-0976
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-1825
lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | CVE-2019-17543 (BDSA-2019-3383)
lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | CVE-2021-3520 (BDSA-2021-1549)
The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27404 (BDSA-2022-1122)
The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27405 (BDSA-2022-1123)
The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27406 (BDSA-2022-1124)
The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | BDSA-2022-1494
Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | CVE-2019-5953 (BDSA-2019-0984)
Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | CVE-2021-31879 (BDSA-2021-1176)
Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2019-4611
Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2020-2283
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-30860
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2022-27135
Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2022-1301
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-27548
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2022-38334
Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2022-3104
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-36493
XZ Utils | 5.2.4 | unknown |   | 5.2.4 | BDSA-2022-0958
zlib | 1.2.11 | unknown |   | 1.2.11 | CVE-2018-25032 (BDSA-2018-5271)
zlib | 1.2.11 | unknown |   | 1.2.11 | CVE-2022-37434 (BDSA-2022-2183)

I see that the packages are installed using - https://tinytex.yihui.org/pkgs-custom.txt
Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt?
If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.

Regards,
Amber Khare

@yihui
Copy link
Member

yihui commented Feb 17, 2023

Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt?
If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.

We do install the very latest versions in the daily release: https://github.com/rstudio/tinytex-releases/releases/tag/daily The installation script https://yihui.org/tinytex/install-bin-unix.sh installs the daily version by default. So I'm not sure why you still got the problems.

Thanks for the report anyway!

@AKhares
Copy link
Author

AKhares commented Feb 19, 2023

Thanks for the reply!
Actually we are using reporter plugin - https://github.com/IzakMarais/reporter, which has the script as mentioned in the issue details:
RUN PACKAGES="wget libswitch-perl"
&& apk update
&& apk add $PACKAGES
&& apk add ca-certificates
&& wget -qO-
"https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh" |
sh -s - --admin --no-path
&& mv ~/.TinyTeX /opt/TinyTeX
&& /opt/TinyTeX/bin//tlmgr path add
&& tlmgr path add
&& chown -R root:adm /opt/TinyTeX
&& chmod -R g+w /opt/TinyTeX
&& chmod -R g+wx /opt/TinyTeX/bin
&& tlmgr install epstopdf-pkg
# Cleanup
&& apk del --purge -qq $PACKAGES
&& apk del --purge -qq
&& rm -rf /var/lib/apt/lists/

So its using https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh and not https://yihui.org/tinytex/install-bin-unix.sh. As this is transitive to us we are not able to do any changes. Can you make the similar changes to https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh, so that it also start installing the daily version by default?

Appreciate the help.

Regards,
Amber Khare

@yihui
Copy link
Member

yihui commented Mar 6, 2023

Sorry, I still don't understand. Both install-unx.sh and install-bin-unix.sh install the daily version. The only difference is that the former installs the daily version from source, and the latter installs the pre-built binary daily version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants