Launchpad CVE tracker

CVE 2023-32668

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

Related bugs and status

CVE-2023-32668 (Candidate) is related to these bugs:

Bug #2047912: There is a heap buffer overflow in texlive-bin

Summary				In	Importance	Status
	2047912	There is a heap buffer overflow in texlive-bin		texlive-bin (Ubuntu)	Undecided	Fix Released

Bug #2058409: Install of tevlive-full hangs: tex/context/base/mkiv/l-sandbox.lua:180: module 'socket.core' not found

Summary				In	Importance	Status
	2058409	Install of tevlive-full hangs: tex/context/base/mkiv/l-sandbox.lua:180: module 'socket.core' not found		context (Ubuntu)	Undecided	Confirmed

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2023-32668

References