Описание
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| texlive-bin | fixed | 2022.20220321.62855-6 | package | |
| texlive-bin | fixed | 2022.20220321.62855-5.1+deb12u1 | bookworm | package |
| texlive-bin | no-dsa | buster | package |
Примечания
https://tug.org/pipermail/tex-live/2023-May/049188.html
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/b266ef076c96b382cd23a4c93204e247bb98626a
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/e7df9234420973a2f69aac1b10cbb5f00b0cda4d
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/da4492c789e25f05255d54e45447d3da79098967
https://www.maxchernoff.ca/p/luatex-vulnerabilities#luasocket
EPSS
Связанные уязвимости
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
LuaTeX before 1.17.0 enables the socket library by default.
Уязвимость компонента Socket Library систем компьютерной верстки LuaTeX, TeX Live и MiKTeX, позволяющая нарушителю выполнить произвольные команды
EPSS