[texhax] security issues

James Quirk jjq at galcit.caltech.edu
Fri Jul 23 13:31:44 CEST 2010


On Fri, 23 Jul 2010, Victor Ivrii wrote:

> On Fri, Jul 23, 2010 at 4:49 AM, Uwe Lueck <uwe.lueck at web.de> wrote:
> > Hi folks,
> >
> > to my astonishment, I find security warnings touching TeX in the German Linux Magazine:
> >
> > BibTeX:
> >    http://www.securityfocus.com/bid/34332
I'm not sure why you're astonished. For many of the security warnings 
arise from buffer overflows and the like that can afflict any non-trivial 
piece of software, whatever the application. While I can't claim to be a 
computer security expert, I am acknowledged in Adobe's last two 
security advisories for problems I stumbled across while using pdftex. 
So you could say I just know enough to be dangerous. :-)

Here it's also worth bearing in mind the paper by Checkoway et al: 
which discusses how TeX input files can be abused in a variety of ways.

> Don't know
> >
> > teTeX English:
> >    http://freshmeat.net/articles/red-hat-updated-tetex-packages-fix-multiple-security-issues
> >
> > teTeX, TeX Live 2007 German:
> >    http://www.linux-magazin.de/DFN-CERT-Advisories/RedHat-Mehrere-Schwachstellen-im-Textsatzsystem-teTeX-RHSA-2010-0399-01
> TL2010 has addressed many security issues.
> >
> > Xpdf:
> >    http://www.securityfocus.com/bid/36703
> Xpdf is not part of TeX and I believe the latest security issue was
This statement is not true as pdftex 1.40.x is built using Xpdf. On my 
machine, pdftex -v reports: Compiled with xpdf version 3.01

> addressed by pl4 patch. BTW in many distributions xpdf is replaced by
> kpdf (not sure about security issues)
Kpdf is similarly built using Xpdf. Thus the bottom line: some 
vulnerabilities in Xpdf and its dependent libraries, such as libpng, *do* 
taint pdftex, Kpdf and a slew of other application. Although personally I 
am not going to lose any sleep over it. In fact, one can sometimes
exploit software weaknesses for a positive end.

As a case in point, if there are any OSX users of R, drop me a line
and I'll send you a PDF which runs an R session directly in a
pdftex-generated PDF.


> >
> > I have rarely looked at TeX user journals and am wondering whether they have a regular column on security issues.
> >
> > Cheers,
> >
> >    Uwe.
> > _______________________________________________
> > TeX FAQ: http://www.tex.ac.uk/faq
> > Mailing list archives: http://tug.org/pipermail/texhax/
> > More links: http://tug.org/begin.html
> >
> > Automated subscription management: http://tug.org/mailman/listinfo/texhax
> > Human mailing list managers: postmaster at tug.org
> >
> Victor

More information about the texhax mailing list