Indico Flask-Multipass LaTeX Injection Vulnerability Allowing Local File Read and Code Execution

A vulnerability exists in Indico's event management system, specifically in versions prior to 3.3.12, due to issues in TeXLive and certain LaTeX syntax that bypassed Indico's LaTeX sanitizer. This flaw enables the execution of specially crafted LaTeX snippets that can read local files or execute code with the same privileges as the user running Indico on the server. The vulnerability is only applicable if server-side LaTeX rendering is enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local files or execution of arbitrary code on the server, with the same privileges as the user running Indico.

Reproduction

To reproduce this vulnerability, upload a contribution or abstract containing LaTeX code that exploits the LaTeX sanitizer bypass. Ensure that 'XELATEX_PATH' is set in 'indico.conf' to enable server-side LaTeX rendering.

Remediation

Update Indico to version 3.3.12 or later. If using version 3.3.12, enable the containerized LaTeX renderer with 'podman', which isolates LaTeX processing from the main system. If not ready to update, remove 'XELATEX_PATH' from 'indico.conf' and restart the 'indico-uwsgi' and 'indico-celery' services.