Package: texlive-extra-utils
Version: 2018.20190131-1
Severity: normal
Tags: patch upstream
Forwarded: https://gitlab.com/latexpand/latexpand/merge_requests/6
In the latexpand script, the detection of comments is buggy:
if a % is not at the beginning of a line, it will not be regarded
as introducing a comment, unless it is preceded by a backslash;
in short, the meaning of a backslash has been reversed.
This means that if one has a line like
% and then \input it with a command in babelbst.tex.
(with a space before the "%"), latexpand attempts to open the
file named "it".
I don't think this is a security bug, but users should be careful
when working on 3rd-party .tex files, if sanitization does not
take care of this bug and other limitations.
I've attached a patch.
This may not be sufficient because code like \\% is not considered,
but the behavior has improved.
-- Package-specific info:
IMPORTANT INFORMATION: We will only consider bug reports concerning
the packaging of TeX Live as relevant. If you have problems with
combination of packages in a LaTeX document, please consult your
local TeX User Group, the comp.text.tex user group, the author of
the original .sty file, or any other help resource.
In particular, bugs that are related to up-upstream, i.e., neither
Debian nor TeX Live (upstream), but the original package authors,
will be closed immediately.
*** The Debian TeX Team is *not* a LaTeX Help Desk ***
If you report an error when running one of the TeX-related binaries
(latex, pdftex, metafont,...), or if the bug is related to bad or wrong
output, please include a MINIMAL example input file that produces the
error in your report.
Please run your example with
(pdf)latex -recorder ...
(or any other program that supports -recorder) and send us the generated
file with the extension .fls, it lists all the files loaded during
the run and can easily explain problems induced by outdated files in
your home directory.
Don't forget to also include minimal examples of other files that are
needed, e.g. bibtex databases. Often it also helps
to include the logfile. Please, never send included pictures!
If your example file isn't short or produces more than one page of
output (except when multiple pages are needed to show the problem),
you can probably minimize it further. Instructions on how to do that
can be found at
http://www.minimalbeispiel.de/mini-en.html (english)
or
http://www.minimalbeispiel.de/mini.html (german)
##################################
minimal input file
##################################
other files
######################################
List of ls-R files
-rw-r--r-- 1 root root 2879 2019-02-12 01:34:10 /var/lib/texmf/ls-R
lrwxrwxrwx 1 root root 29 2018-09-02 14:32:33 /usr/share/texmf/ls-R ->
/var/lib/texmf/ls-R-TEXMFMAIN
lrwxrwxrwx 1 root root 31 2019-01-31 04:53:23
/usr/share/texlive/texmf-dist/ls-R -> /var/lib/texmf/ls-R-TEXLIVEDIST
lrwxrwxrwx 1 root root 31 2019-01-31 04:53:23
/usr/share/texlive/texmf-dist/ls-R -> /var/lib/texmf/ls-R-TEXLIVEDIST
######################################
Config files
-rw-r--r-- 1 root root 475 2018-09-02 20:20:53 /etc/texmf/web2c/texmf.cnf
lrwxrwxrwx 1 root root 33 2019-01-31 04:53:23
/usr/share/texmf/web2c/fmtutil.cnf -> /var/lib/texmf/fmtutil.cnf-DEBIAN
lrwxrwxrwx 1 root root 32 2019-01-31 04:53:23 /usr/share/texmf/web2c/updmap.cfg
-> /var/lib/texmf/updmap.cfg-DEBIAN
-rw-r--r-- 1 root root 5089 2019-02-02 17:01:20
/var/lib/texmf/tex/generic/config/language.dat
######################################
Files in /etc/texmf/web2c/
total 8
-rw-r--r-- 1 root root 283 2014-10-21 02:46:09 mktex.cnf
-rw-r--r-- 1 root root 475 2018-09-02 20:20:53 texmf.cnf
######################################
md5sums of texmf.d
ca40c66f144b4bafc3e59a2dd32ecb9c /etc/texmf/texmf.d/00debian.cnf
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-3-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages texlive-extra-utils depends on:
ii libunicode-linebreak-perl 0.0.20170401-1+b1
ii python 2.7.15-4
ii tex-common 6.10
ii texlive-base 2018.20190131-1
ii texlive-binaries 2018.20181218.49446-1
ii texlive-latex-base 2018.20190131-1
Versions of packages texlive-extra-utils recommends:
ii ghostscript 9.26a~dfsg-0+deb9u1
ii libfile-homedir-perl 1.004-1
ii libyaml-tiny-perl 1.73-1
ii ruby 1:2.5.1
ii texlive-latex-recommended 2018.20190131-1
Versions of packages texlive-extra-utils suggests:
ii chktex 1.7.6-2+b1
ii dvidvi 1.0-8.2+b1
ii dvipng 1.15-1.1
ii fragmaster 1.7-8
ii lacheck 1.26-17
ii latexdiff 1.3.0-1
ii latexmk 1:4.61-0.1
ii purifyeps 1.1-2
pn xindy <none>
Versions of packages tex-common depends on:
ii dpkg 1.19.4
ii ucf 3.0038+nmu1
Versions of packages tex-common suggests:
ii debhelper 12.1
Versions of packages texlive-extra-utils is related to:
ii tex-common 6.10
ii texlive-binaries 2018.20181218.49446-1
-- debconf information excluded
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--- a/texmf-dist/scripts/latexpand/latexpand 2018-05-01 19:35:37.000000000
+0200
+++ b/texmf-dist/scripts/latexpand/latexpand 2019-02-16 00:29:55.279697355
+0100
@@ -213,7 +213,7 @@
unless ($keep_includes) {
if (my ($before, $ignored, $full_filename, $after)
- = /^(([^%]|[^\\]%)*)\\include[{\s]+(.*?)[\s}](.*)$/) {
+ = /^(([^%]|\\%)*)\\include[{\s]+(.*?)[\s}](.*)$/) {
$full_filename = find_tex_file($full_filename . ".tex");
if ($full_filename) {
say $prefix . "Found include for file:
$full_filename\n";
@@ -231,7 +231,7 @@
$_ = "";
}
} elsif (my ($before, $ignored, $full_filename, $after)
- = /^(([^%]|[^\\]%)*)\\input[{\s]+(.*?)[\s}](.*)$/) {
+ = /^(([^%]|\\%)*)\\input[{\s]+(.*?)[\s}](.*)$/) {
if ($inside_import) {
$full_filename = $inside_import . $full_filename;
}
@@ -255,7 +255,7 @@
$_ = "";
}
} elsif (my ($before, $ignored, $dir, $full_filename, $after)
- =
/^(([^%]|[^\\]%)*)\\(?:sub)?import[{\s]+(.*?)[\s}][{\s]+(.*?)[\s}](.*)$/) {
+ =
/^(([^%]|\\%)*)\\(?:sub)?import[{\s]+(.*?)[\s}][{\s]+(.*?)[\s}](.*)$/) {
if ($explain) {
print "% dir " . $dir ."\n";
print "% full_filename " . $full_filename ."\n";
@@ -290,7 +290,7 @@
$_ = "";
}
} elsif (my ($before, $ignored, $args, $full_filename, $after)
- =
/^(([^%]|[^\\]%)*)\\includegraphics[\[\s]+(.*?)[\s\]][{\s]+(.*?)[\s}](.*)$/) {
+ =
/^(([^%]|\\%)*)\\includegraphics[\[\s]+(.*?)[\s\]][{\s]+(.*?)[\s}](.*)$/) {
if ($explain) {
print "% inside_import " . $inside_import
."\n";
print "% before " . $before ."\n";
@@ -305,7 +305,7 @@
$_ = "";
}
} elsif (my ($before, $ignored, $args, $full_filename, $after)
- =
/^(([^%]|[^\\]%)*)\\lstinputlisting[\[\s]+(.*?)[\s\]][{\s]+(.*?)[\s}](.*)$/) {
+ =
/^(([^%]|\\%)*)\\lstinputlisting[\[\s]+(.*?)[\s\]][{\s]+(.*?)[\s}](.*)$/) {
if ($explain) {
print "% inside_import " . $inside_import
."\n";
print "% before " . $before ."\n";
