[tex-k] [rhn-admin@rhn.redhat.com: RHN Errata Alert: Command execution vulnerability in dvips]
Tomas G. Rokicki
rokicki@CS.Stanford.EDU
Tue, 15 Oct 2002 08:20:25 -0700
I am not sure whether this has been fixed or not.
Further, I suspect it hasn't been.
There is #ifdef SECURE, but I'm not even sure that covers all the
possibilities.
Dvips uses popen() and system() in 11 different places, and not all
of them appear to be appropriately protected.
I was not aware of this advisory before this time. I will have to
spend some time and determine what the impact is. I will also spend
some time and close all the obvious popen/system issues in dvips.
I'm not sure how paranoid I need to be. The makefont subroutine
executes scripts, which might be insecure or might execute binaries
without hardwiring a path, which can then be hijacked, etc. But I
will spend some time on it, probably next week (the 25th and 26th
of October).
There is some ancient functionality in there (the use of tek2ps
and iff2ps to convert Tektronix graphics and Amiga IFF format to
PostScript, neither of which are probably used by anyone) that
might be hijacked.
This *may* end up reducing the functionality of dvips.