Headline
Ubuntu Security Notice USN-6115-1
Ubuntu Security Notice 6115-1 - Max Chernoff discovered that LuaTeX did not properly disable shell escape. An attacker could possibly use this issue to execute arbitrary shell commands.
==========================================================================
Ubuntu Security Notice USN-6115-1
May 30, 2023
texlive-bin vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
LuaTeX (TeX Live) could be made to run programs as your login if it
compiled a specially crafted TeX file.
Software Description:
- texlive-bin: Binaries for TeX Live
Details:
Max Chernoff discovered that LuaTeX (TeX Live) did not properly disable
shell escape. An attacker could possibly use this issue to execute
arbitrary shell commands.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
texlive-binaries 2022.20220321.62855-5ubuntu0.1
Ubuntu 22.10:
texlive-binaries 2022.20220321.62855-4ubuntu0.1
Ubuntu 22.04 LTS:
texlive-binaries 2021.20210626.59705-1ubuntu0.1
Ubuntu 20.04 LTS:
texlive-binaries 2019.20190605.51237-3ubuntu0.1
Ubuntu 18.04 LTS:
texlive-binaries 2017.20170613.44572-8ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6115-1
CVE-2023-32700
Package Information:
https://launchpad.net/ubuntu/+source/texlive-bin/2022.20220321.62855-5ubuntu0.1
https://launchpad.net/ubuntu/+source/texlive-bin/2022.20220321.62855-4ubuntu0.1
https://launchpad.net/ubuntu/+source/texlive-bin/2021.20210626.59705-1ubuntu0.1
https://launchpad.net/ubuntu/+source/texlive-bin/2019.20190605.51237-3ubuntu0.1
https://launchpad.net/ubuntu/+source/texlive-bin/2017.20170613.44572-8ubuntu0.2
Related news
Red Hat Security Advisory 2023-3661-01 - The texlive packages contain TeXLive, an implementation of TeX for Linux or UNIX systems. Issues addressed include a code execution vulnerability.
Debian Linux Security Advisory 5406-1 - Max Chernoff discovered that improperly secured shell-escape in LuaTeX may result in arbitrary shell command execution, even with shell escape disabled, if specially crafted tex files are processed.
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.