Описание
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
An arbitrary code execution vulnerability was found in LuaTeX (TeX Live) that allows any document compiled with older versions of LuaTeX to execute arbitrary shell commands, even with shell escape disabled.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | texlive | Affected | ||
| Red Hat Enterprise Linux 8 | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
| Red Hat Enterprise Linux 8.2 Telecommunications Update Service | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
| Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | texlive | Fixed | RHSA-2023:3661 | 19.06.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when ...
EPSS
7.8 High
CVSS3