[tex-live] dvips cannot find figures

Nelson H. F. Beebe beebe at math.utah.edu
Thu Dec 29 01:32:43 CET 2005 

Reinhard Kotucha <reinhard.kotucha at web.de> writes today on this
list:

>> If absolute paths are disallowed, what can be damaged if you
>> "cd /tmp" before you execute anything?

Perhaps not damaged, but on some systems, that simply won't work.

Recent GNU/Linux, and possibly other operating systems, allow
filesystem mounts in no-execute mode, and some systems are set to
mount /tmp and /var/tmp that way.  It is then impossible to run any
executable that resides in those directory trees without first copying
it to some other filesystem.  Of course, for shell scripts, one can
still do "sh < /tmp/malicious-script.sh", "perl < /tmp/nasty-stuff.pl",
and so on.

The opening up of avenues in DVI, PostScript, PDF, and fonts for
execution of arbitrary code during simple VIEWING of those files is a
step not to be taken lightly.  Such a facility was tried in TeX in the
1980s at Heidelberg, and then quickly removed when someone exploited
it a short time later for nefarious purposes.

For most users, "viewing" means "reading", and by implication, means
"NOT WRITING".

As an example of the security mess when this separation is not
maintained arrived in my mailbox just a few minutes ago:

>> ...
>> Sorry to be the bearer of bad news during the holidays but, there is a
>> new day 0 vulnerability with Windows Metafiles (WMF), used for rendering
>> images.
>>
>> Here is what I have found out so far:
>>   1)  All Windows XP SP2 machines are vulnerable.
>>   2)  Internet Explorer users will get infected if they go to a web site
>>       that contains an image with the exploit.
>>   3)  Firefox users will get infected if they download the image with the
>>       exploit.
>>   4)  Google Desktop is vulnerable, if the indexing function finds an
>>       image with the exploit on a local hard drive.
>>   5)  No patch is available for this vulnerability yet.
>>
>> Additionaly information is available at:
>>  <http://www.f-secure.com/weblog/>
>>  <http://www.theinquirer.net/?article=28593>
>>  <http://www.techspot.com/news/19936-windows-wmf-0day-exploit-in-the-wild.html>
>>  <http://antivirus.about.com/b/a/2005_12_28.htm>
>>  <http://secunia.com/advisories/18255/>
>>  <http://www.russianewswire.com/releases_headlines_details.php?id=1483>
>> ...

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- University of Utah                    FAX: +1 801 581 4148                  -
- Department of Mathematics, 110 LCB    Internet e-mail: beebe at math.utah.edu  -
- 155 S 1400 E RM 233                       beebe at acm.org  beebe at computer.org -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------

More information about the tex-live mailing list