Closed AKhares closed 1 year ago
Hi Team,
In our recent vulnerability scans we observed multiple vulnerabilities. Usage: RUN PACKAGES="wget perl-switch" \ && apk --no-cache add tzdata && wget -qO- "https://yihui.org/tinytex/install-bin-unix.sh" | sh -s - --admin --no-path && mv ~/.TinyTeX /opt/TinyTeX && /opt/TinyTeX/bin/*/tlmgr path add && tlmgr path add && chown -R root:adm /opt/TinyTeX && chmod -R g+w /opt/TinyTeX && chmod -R g+wx /opt/TinyTeX/bin && tlmgr install epstopdf-pkg \
Vulnerabilities List: libpng | 1.6.37 | sourceforge | libpng/v1.6.37 | v1.6.37 | BDSA-2019-5322 lua | 5.3.6 | unknown | | v5.3.6 | https://github.com/advisories/GHSA-4f5v-4r5w-g4x3 (BDSA-2020-1807) lua | 5.3.6 | unknown | | v5.3.6 | https://github.com/advisories/GHSA-4fp8-99qh-27p3 (BDSA-2020-1850) lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2058 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2093 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2094 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2099 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2021-3384 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0057 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0976 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-1825 lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | https://github.com/advisories/GHSA-fxrv-74g3-w7qr (BDSA-2019-3383) lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | https://github.com/advisories/GHSA-gmc7-pqv9-966m (BDSA-2021-1549) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | https://github.com/advisories/GHSA-22wv-f9f6-xwwm (BDSA-2022-1122) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | https://github.com/advisories/GHSA-3p63-23m4-gmcp (BDSA-2022-1123) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | https://github.com/advisories/GHSA-34wh-7j35-vw3w (BDSA-2022-1124) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | BDSA-2022-1494 Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | https://github.com/advisories/GHSA-fhwx-v7qv-pjh3 (BDSA-2019-0984) Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | https://github.com/advisories/GHSA-78qj-768g-464g (BDSA-2021-1176) Xpdf | 4.03 | unknown | | 4.03 | BDSA-2019-4611 Xpdf | 4.03 | unknown | | 4.03 | BDSA-2020-2283 Xpdf | 4.03 | unknown | | 4.03 | CVE-2021-30860 Xpdf | 4.03 | unknown | | 4.03 | https://github.com/advisories/GHSA-479v-8jg2-8fgj Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-1301 Xpdf | 4.03 | unknown | | 4.03 | https://github.com/advisories/GHSA-2gqh-hpcc-jmx2 Xpdf | 4.03 | unknown | | 4.03 | https://github.com/advisories/GHSA-fvj4-fm65-5pqm Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-3104 Xpdf | 4.03 | unknown | | 4.03 | https://github.com/advisories/GHSA-32jj-wp9g-2g8g XZ Utils | 5.2.4 | unknown | | 5.2.4 | BDSA-2022-0958 zlib | 1.2.11 | unknown | | 1.2.11 | https://github.com/advisories/GHSA-jc36-42cf-vqwj (BDSA-2018-5271) zlib | 1.2.11 | unknown | | 1.2.11 | https://github.com/advisories/GHSA-cfmr-vrgj-vqwv (BDSA-2022-2183)
I see that the packages are installed using - https://tinytex.yihui.org/pkgs-custom.txt Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt? If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.
Regards, Amber Khare
Duplicate of https://github.com/rstudio/tinytex-releases/issues/34
yihui
commented
1 year ago yihui
commented
1 year ago
Hi Team,
In our recent vulnerability scans we observed multiple vulnerabilities. Usage: RUN PACKAGES="wget perl-switch" \ && apk --no-cache add tzdata && wget -qO- "https://yihui.org/tinytex/install-bin-unix.sh" | sh -s - --admin --no-path && mv ~/.TinyTeX /opt/TinyTeX && /opt/TinyTeX/bin/*/tlmgr path add && tlmgr path add && chown -R root:adm /opt/TinyTeX && chmod -R g+w /opt/TinyTeX && chmod -R g+wx /opt/TinyTeX/bin && tlmgr install epstopdf-pkg \
Vulnerabilities List: libpng | 1.6.37 | sourceforge | libpng/v1.6.37 | v1.6.37 | BDSA-2019-5322 lua | 5.3.6 | unknown | | v5.3.6 | https://github.com/advisories/GHSA-4f5v-4r5w-g4x3 (BDSA-2020-1807) lua | 5.3.6 | unknown | | v5.3.6 | https://github.com/advisories/GHSA-4fp8-99qh-27p3 (BDSA-2020-1850) lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2058 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2093 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2094 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2099 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2021-3384 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0057 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0976 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-1825 lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | https://github.com/advisories/GHSA-fxrv-74g3-w7qr (BDSA-2019-3383) lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | https://github.com/advisories/GHSA-gmc7-pqv9-966m (BDSA-2021-1549) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | https://github.com/advisories/GHSA-22wv-f9f6-xwwm (BDSA-2022-1122) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | https://github.com/advisories/GHSA-3p63-23m4-gmcp (BDSA-2022-1123) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | https://github.com/advisories/GHSA-34wh-7j35-vw3w (BDSA-2022-1124) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | BDSA-2022-1494 Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | https://github.com/advisories/GHSA-fhwx-v7qv-pjh3 (BDSA-2019-0984) Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | https://github.com/advisories/GHSA-78qj-768g-464g (BDSA-2021-1176) Xpdf | 4.03 | unknown | | 4.03 | BDSA-2019-4611 Xpdf | 4.03 | unknown | | 4.03 | BDSA-2020-2283 Xpdf | 4.03 | unknown | | 4.03 | CVE-2021-30860 Xpdf | 4.03 | unknown | | 4.03 | https://github.com/advisories/GHSA-479v-8jg2-8fgj Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-1301 Xpdf | 4.03 | unknown | | 4.03 | https://github.com/advisories/GHSA-2gqh-hpcc-jmx2 Xpdf | 4.03 | unknown | | 4.03 | https://github.com/advisories/GHSA-fvj4-fm65-5pqm Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-3104 Xpdf | 4.03 | unknown | | 4.03 | https://github.com/advisories/GHSA-32jj-wp9g-2g8g XZ Utils | 5.2.4 | unknown | | 5.2.4 | BDSA-2022-0958 zlib | 1.2.11 | unknown | | 1.2.11 | https://github.com/advisories/GHSA-jc36-42cf-vqwj (BDSA-2018-5271) zlib | 1.2.11 | unknown | | 1.2.11 | https://github.com/advisories/GHSA-cfmr-vrgj-vqwv (BDSA-2022-2183)
I see that the packages are installed using - https://tinytex.yihui.org/pkgs-custom.txt Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt? If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.
Regards, Amber Khare