[texhax] security issues
James Quirk
jjq at galcit.caltech.edu
Fri Jul 23 13:31:44 CEST 2010
Victor,
On Fri, 23 Jul 2010, Victor Ivrii wrote:
> On Fri, Jul 23, 2010 at 4:49 AM, Uwe Lueck <uwe.lueck at web.de> wrote:
> > Hi folks,
> >
> > to my astonishment, I find security warnings touching TeX in the German Linux Magazine:
> >
> > BibTeX:
> > http://www.securityfocus.com/bid/34332
I'm not sure why you're astonished. For many of the security warnings
arise from buffer overflows and the like that can afflict any non-trivial
piece of software, whatever the application. While I can't claim to be a
computer security expert, I am acknowledged in Adobe's last two
security advisories for problems I stumbled across while using pdftex.
So you could say I just know enough to be dangerous. :-)
Here it's also worth bearing in mind the paper by Checkoway et al:
http://cseweb.ucsd.edu/~scheckow/papers/tex2010.html
which discusses how TeX input files can be abused in a variety of ways.
>
> Don't know
>
> >
> > teTeX English:
> > http://freshmeat.net/articles/red-hat-updated-tetex-packages-fix-multiple-security-issues
> >
> > teTeX, TeX Live 2007 German:
> > http://www.linux-magazin.de/DFN-CERT-Advisories/RedHat-Mehrere-Schwachstellen-im-Textsatzsystem-teTeX-RHSA-2010-0399-01
>
>
> TL2010 has addressed many security issues.
>
> >
> > Xpdf:
> > http://www.securityfocus.com/bid/36703
>
>
> Xpdf is not part of TeX and I believe the latest security issue was
This statement is not true as pdftex 1.40.x is built using Xpdf. On my
machine, pdftex -v reports: Compiled with xpdf version 3.01
> addressed by pl4 patch. BTW in many distributions xpdf is replaced by
> kpdf (not sure about security issues)
Kpdf is similarly built using Xpdf. Thus the bottom line: some
vulnerabilities in Xpdf and its dependent libraries, such as libpng, *do*
taint pdftex, Kpdf and a slew of other application. Although personally I
am not going to lose any sleep over it. In fact, one can sometimes
exploit software weaknesses for a positive end.
As a case in point, if there are any OSX users of R, drop me a line
and I'll send you a PDF which runs an R session directly in a
pdftex-generated PDF.
James
>
> >
> > I have rarely looked at TeX user journals and am wondering whether they have a regular column on security issues.
> >
> > Cheers,
> >
> > Uwe.
> > _______________________________________________
> > TeX FAQ: http://www.tex.ac.uk/faq
> > Mailing list archives: http://tug.org/pipermail/texhax/
> > More links: http://tug.org/begin.html
> >
> > Automated subscription management: http://tug.org/mailman/listinfo/texhax
> > Human mailing list managers: postmaster at tug.org
> >
>
>
> Victor
>
More information about the texhax
mailing list