More info about LuaTeX 1.17.0 (security update)
Ken Moffat
zarniwhoop at ntlworld.com
Tue May 23 04:07:56 CEST 2023
On Mon, May 22, 2023 at 04:48:46PM -0600, Max Chernoff wrote:
> Hi Ken,
>
> > en at deluxe /tmp $lualatex shell-escape-test.tex
> > This is LuaHBTeX, Version 1.16.0 (TeX Live 2023)
> > restricted system commands enabled.
> > (./shell-escape-test.tex
> > LaTeX2e <2022-11-01> patch level 1
> > L3 programming layer <2023-02-22>sh: line 1: shell-escape-test.tex:
> > command not found
>
> The document attempts to run the last argument given on the command
> line, so you need to run:
>
> $ lualatex shell-escape-test.tex "sh -c 'echo @@@VULNERABLE@@@'"
>
> I did it this way so that on Windows you could do something like:
>
> $ luatex shell-escape-test.tex calc.exe
>
> You can also make a more exciting demonstration on Linux too:
>
> $ optex --no-shell-escape shell-escape-test.tex poweroff
>
> -- Max
Hi Max,
I've fallen into the trap of thinking I can read!
Got it now, sorry for the noise.
ĸen
--
They feel among themselves that everything that is being done is
bad - even though that everything is done by their own party.
- Anthony Trollope, 'The Eustace Diamonds'
More information about the tex-live
mailing list.