More info about LuaTeX 1.17.0 (security update)
Max Chernoff
mseven at telus.net
Mon May 22 13:17:19 CEST 2023
Hi Joseph,
> On 22/05/2023 11:31, Max Chernoff wrote:
> > This issue affects all operating systems/architectures, and all LuaTeX
> > formats except for ConTeXt. Further details are available at:
>
> Could you explain that a bit more? If it's an engine bug, I don't see
> how the format is relevant?
This is an engine bug, and you're right, the format isn't really
relevant. I just mentioned that since this was mostly copied from an
email I sent out to the Linux distros last week, and the format/engine
distinction is pretty confusing unless you're deeply involved with TeX.
ConTeXt is unaffected in this specific case though since it always has
unrestricted shell escape enabled, and it has the debug module disabled.
> Or, looked at the other way, if it was
> fixable by format changes, why was a change to the engine needed?
It is maybe possible to fix this just in the formats
https://tug.org/~mseven/luatex.html#patching-no-bin
but I'm not too sure how robust that solution is. Patching the binaries is
much safer.
Thanks,
-- Max
More information about the tex-live
mailing list.