Closed mphilipps closed 1 year ago
That fix shouldn't affect this. The "official" io.popen
interface has always been restricted by the current shell escape setting; this fix just prevents you from using a clever/hidden trick to access the unrestricted version. luaotfload
uses the official interface, so this should have no effect at all.
This is a bug with Debian's fix for CVE-2023-32700. Upstream TL and the other distros should all be unaffected.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036891#40.
Oh I see. I shall close this report.
Thank you
hi, On monday I got a newer luatex that prevents execution of arbitrary shell commands ( https://security-tracker.debian.org/tracker/CVE-2023-32700 ). They restrict the access to
io.popen
which is used inluaotfload-configuration.lua
to determine the size of the terminal in absence of a config file.There is probably a better way of doing this. For now I am working around this issue by setting termwidth in an
.luaotfloadrc
config file.https://github.com/latex3/luaotfload/blob/79fb28b633691fc7349e1d833317049ba9954e80/src/luaotfload-configuration.lua#L285
.luaotfloadrc