[tldistro] LuaTeX security update (1.17.0)

Max Chernoff mseven at telus.net
Mon May 22 12:48:33 CEST 2023


Hi all,

A few weeks ago, Luigi and the TeX Live team released LuaTeX 1.17.0.
This patched a vulnerability that allowed any document compiled with
LuaTeX 1.04--1.16.1 (TeX Live 2017--2023) to execute arbitrary shell
commands, even with shell escape completely disabled. 

Last week, this issue was assigned CVE-2023-32700 and I privately
emailed a patch to the security contacts for the major distros.

OpenSUSE/SLES, Gentoo, OpenBSD, Debian, and Nix have all patched their
LuaTeX binaries, and Ubuntu is planning a patch for next week. If you
maintain TeX Live for another distro, then I'd recommend that you try
and patch this relatively soon. 

Further details, including exploit code and a patch, are available at:

   https://tug.org/~mseven/luatex.html
   
Feel free to reply if you have any questions.

Thanks,
-- Max



More information about the tldistro mailing list.