[tldistro] LuaTeX security update (1.17.0)
Max Chernoff
mseven at telus.net
Mon May 22 12:48:33 CEST 2023
Hi all,
A few weeks ago, Luigi and the TeX Live team released LuaTeX 1.17.0.
This patched a vulnerability that allowed any document compiled with
LuaTeX 1.04--1.16.1 (TeX Live 2017--2023) to execute arbitrary shell
commands, even with shell escape completely disabled.
Last week, this issue was assigned CVE-2023-32700 and I privately
emailed a patch to the security contacts for the major distros.
OpenSUSE/SLES, Gentoo, OpenBSD, Debian, and Nix have all patched their
LuaTeX binaries, and Ubuntu is planning a patch for next week. If you
maintain TeX Live for another distro, then I'd recommend that you try
and patch this relatively soon.
Further details, including exploit code and a patch, are available at:
https://tug.org/~mseven/luatex.html
Feel free to reply if you have any questions.
Thanks,
-- Max
More information about the tldistro
mailing list.