CVE-2023-32700: 
Rocky Linux vulnerability analysis and mitigation

CVE-2023-32700 affects LuaTeX versions 1.04 through 1.16.1, allowing execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. The vulnerability was discovered in May 2023 and affects TeX Live 2017-2022, the original release of TeX Live 2023, and MiKTeX versions 2.9.6300 through 23.4. The issue occurs because luatex-core.lua allows access to the original io.popen functionality (NVD, TUG).

The vulnerability stems from LuaTeX's implementation of security controls in Lua rather than C. The issue specifically involves the local copy of io.popen in luatex-core.lua, which can be accessed using the Lua debug.getupvalue function. This allows bypassing shell escape protections and executing arbitrary processes without restriction. The vulnerability has a CVSS v3.1 base score of 7.8 (High), with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

This vulnerability completely bypasses the security protections of LuaTeX, allowing any TeX file (including packages, classes, documents, and .aux files) to execute arbitrary commands on the affected system. However, the practical impact is somewhat limited since users rarely compile TeX files from untrusted sources, and many online services that compile TeX files use additional sandboxing measures (TUG).

The vulnerability was fixed in LuaTeX 1.17.0 by implementing the wrapper function in C instead of Lua, preventing access to internal references. Users can mitigate the issue by updating to TeX Live 2023 with LuaTeX 1.17.0 or later, or MiKTeX 23.5 or later. For users unable to update, alternative mitigations include manually installing updated LuaTeX binaries or applying specific patches to older versions (TUG, Fedora).