Security Vulnerabilities detected!!

[AKhares]

Hi Team,

In our recent vulnerability scans we observed multiple vulnerabilities.
Usage:
RUN PACKAGES="wget perl-switch" \
&& apk --no-cache add tzdata
&& wget -qO-
"https://yihui.org/tinytex/install-bin-unix.sh" |
sh -s - --admin --no-path
&& mv ~/.TinyTeX /opt/TinyTeX
&& /opt/TinyTeX/bin/*/tlmgr path add
&& tlmgr path add
&& chown -R root:adm /opt/TinyTeX
&& chmod -R g+w /opt/TinyTeX
&& chmod -R g+wx /opt/TinyTeX/bin
&& tlmgr install epstopdf-pkg \

Vulnerabilities List:
libpng | 1.6.37 | sourceforge | libpng/v1.6.37 | v1.6.37 | BDSA-2019-5322
lua | 5.3.6 | unknown |   | v5.3.6 | CVE-2020-15888 (BDSA-2020-1807)
lua | 5.3.6 | unknown |   | v5.3.6 | CVE-2020-15945 (BDSA-2020-1850)
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2058
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2093
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2094
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2020-2099
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2021-3384
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-0057
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-0976
lua | 5.3.6 | unknown |   | v5.3.6 | BDSA-2022-1825
lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | CVE-2019-17543 (BDSA-2019-3383)
lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | CVE-2021-3520 (BDSA-2021-1549)
The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27404 (BDSA-2022-1122)
The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27405 (BDSA-2022-1123)
The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | CVE-2022-27406 (BDSA-2022-1124)
The FreeType Project | 2.11.1 | unknown |   | 2.11.1 | BDSA-2022-1494
Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | CVE-2019-5953 (BDSA-2019-0984)
Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | CVE-2021-31879 (BDSA-2021-1176)
Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2019-4611
Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2020-2283
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-30860
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2022-27135
Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2022-1301
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-27548
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2022-38334
Xpdf | 4.03 | unknown |   | 4.03 | BDSA-2022-3104
Xpdf | 4.03 | unknown |   | 4.03 | CVE-2021-36493
XZ Utils | 5.2.4 | unknown |   | 5.2.4 | BDSA-2022-0958
zlib | 1.2.11 | unknown |   | 1.2.11 | CVE-2018-25032 (BDSA-2018-5271)
zlib | 1.2.11 | unknown |   | 1.2.11 | CVE-2022-37434 (BDSA-2022-2183)

I see that the packages are installed using - https://tinytex.yihui.org/pkgs-custom.txt
Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt?
If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.

Regards,
Amber Khare

[yihui]

Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt?
If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.

We do install the very latest versions in the daily release: https://github.com/rstudio/tinytex-releases/releases/tag/daily The installation script https://yihui.org/tinytex/install-bin-unix.sh installs the daily version by default. So I'm not sure why you still got the problems.

Thanks for the report anyway!

[AKhares]

Thanks for the reply!
Actually we are using reporter plugin - https://github.com/IzakMarais/reporter, which has the script as mentioned in the issue details:
RUN PACKAGES="wget libswitch-perl"
&& apk update
&& apk add $PACKAGES
&& apk add ca-certificates
&& wget -qO-
"https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh" |
sh -s - --admin --no-path
&& mv ~/.TinyTeX /opt/TinyTeX
&& /opt/TinyTeX/bin//tlmgr path add
&& tlmgr path add
&& chown -R root:adm /opt/TinyTeX
&& chmod -R g+w /opt/TinyTeX
&& chmod -R g+wx /opt/TinyTeX/bin
&& tlmgr install epstopdf-pkg
# Cleanup
&& apk del --purge -qq $PACKAGES
&& apk del --purge -qq
&& rm -rf /var/lib/apt/lists/

So its using https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh and not https://yihui.org/tinytex/install-bin-unix.sh. As this is transitive to us we are not able to do any changes. Can you make the similar changes to https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh, so that it also start installing the daily version by default?

Appreciate the help.

Regards,
Amber Khare

[yihui]

Sorry, I still don't understand. Both install-unx.sh and install-bin-unix.sh install the daily version. The only difference is that the former installs the daily version from source, and the latter installs the pre-built binary daily version.