CVE-2023-32700 Affecting texlive-bin package, versions <2020.20200327.54578-7+deb11u1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-TEXLIVEBIN-5564817
- published 20 May 2023
- disclosed 20 May 2023
Introduced: 20 May 2023
CVE-2023-32700 Open this link in a new tabHow to fix?
Upgrade Debian:11 texlive-bin to version 2020.20200327.54578-7+deb11u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream texlive-bin package and not the texlive-bin package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
References
- https://security-tracker.debian.org/tracker/CVE-2023-32700
- https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://tug.org/pipermail/tex-live/2023-May/049188.html
- https://tug.org/~mseven/luatex.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/