CVE-2023-32700

Name
CVE-2023-32700
Description
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://tug.org/pipermail/tex-live/2023-May/049188.html
MISC https://tug.org/~mseven/luatex.html
MISC https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
MISC https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:luatex_project:luatex:*:*:*:*:*:*:*:* luatex >= 1.04 < 1.16.2
cpe:2.3:a:miktex:miktex:*:*:*:*:*:*:*:* miktex >= 2.9.6300 < 23.5
cpe:2.3:a:tug:tex_live:*:*:*:*:*:*:*:* tex_live >= 2017 < 2023

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
texlive 3.18-community 20230506.66984-r0 Marian Buschsieweke <marian.buschsieweke@ovgu.de> fixed