texlive.bin.core-big: fix CVE-2023-32700

[apfelkuchen6]

This fixes a bug that allowed any document compiled with LuaTeX to execute arbitrary shell commands, even with shell escape disabled. This issue is CVE-2023-32700.

See https://tug.org/~mseven/luatex.html for more details.

The fix applied does not fix the socket vulnerability descibed on that page (CVE-2023-32668), which allows any code to create network requests. Patching this requires breaking compatibility. In particular the ConTeXt version shipped with texlive-2022 does not work with luatex-1.17. I'm not sure what we want to do about that. Debian also only patches CVE-2023-32700.

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[risicle]

Definitely appears to address the test case provided in https://tug.org/~mseven/luatex.html on x86_64 linux and macos 10.15 for texlive.combined.scheme-full

[github-actions]

Successfully created backport PR for release-22.11:

• [Backport release-22.11] texlive.bin.core-big: fix CVE-2023-32700 #233070