[tex-k] secure mode of dvips should be default

Julian Gilbey J.D.Gilbey@qmw.ac.uk
Fri, 1 Jun 2001 19:10:18 +0100


On Fri, Jun 01, 2001 at 10:41:58AM -0700, Tomas G. Rokicki wrote:
> Thanks for the email on dvips security!
> 
> Can you explain why secure mode should be on by default?
> In other words, how might I run TeX and/or dvips over
> untrusted code?  Provide me with a convincing attack
> scenario.  A time bomb in some macro source somewhere that
> gets included into a distribution?
> 
> Certainly if someone embeds dvips into some sort of automatic,
> MIME-driven viewer, yes, secure mode should be set on, but
> for command-line use?

Download and attempt to print a .dvi file from the web which contains
a malicious \special, perhaps?

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

         Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London
       Debian GNU/Linux Developer,  see http://people.debian.org/~jdg
  Donate free food to the world's hungry: see http://www.thehungersite.com/