CVE-2023-32668
Publication date 11 May 2023
Last updated 24 July 2024
Ubuntu priority
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| texlive-bin | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 2021.20210626.59705-1ubuntu0.2
|
|
| 20.04 LTS focal |
Fixed 2019.20190605.51237-3ubuntu0.2
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Patch details
| Package | Patch details |
|---|---|
| texlive-bin |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6695-1
- TeX Live vulnerabilities
- 14 March 2024
Other references
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3
- https://tug.org/pipermail/tex-live/2023-May/049188.html
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://www.cve.org/CVERecord?id=CVE-2023-32668