check_termwidth breaks on new luatex that restricts access to io.popen.

mphilipps commented 1 year ago

hi, On monday I got a newer luatex that prevents execution of arbitrary shell commands ( https://security-tracker.debian.org/tracker/CVE-2023-32700 ). They restrict the access to io.popen which is used in luaotfload-configuration.lua to determine the size of the terminal in absence of a config file.

There is probably a better way of doing this. For now I am working around this issue by setting termwidth in an .luaotfloadrc config file.

https://github.com/latex3/luaotfload/blob/79fb28b633691fc7349e1d833317049ba9954e80/src/luaotfload-configuration.lua#L285

.luaotfloadrc

[misc]
   termwidth = 79

gucci-on-fleek commented 1 year ago

That fix shouldn't affect this. The "official" io.popen interface has always been restricted by the current shell escape setting; this fix just prevents you from using a clever/hidden trick to access the unrestricted version. luaotfload uses the official interface, so this should have no effect at all.

gucci-on-fleek commented 1 year ago

This is a bug with Debian's fix for CVE-2023-32700. Upstream TL and the other distros should all be unaffected.

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036891#40.

mphilipps commented 1 year ago

Oh I see. I shall close this report.

Thank you

latex3 / luaotfload

check_termwidth breaks on new luatex that restricts access to io.popen. #254