[tex-live] Status of restricted \write18 and epstopdf conversion

Alexander Cherepanov cherepan at mccme.ru
Mon Oct 19 02:04:27 CEST 2009

Hi Manuel!
On Sun, 18 Oct 2009 23:12:13 +0200, Manuel Pégourié-Gonnard <mpg at elzevir.fr> wrote:

>> This is also not that easy but you seem to manage it (just received 
>> your next mail), nice. Will look into the new version now.

> It is actually very easy on Unix, the only problem being with windows.
> I'm looking forward to hearing your comments on the new version.

All mentioned problems are solved. So, do you consider it a security 
bug (shell injection in epstopdf and/or directory traverse in 
repstopdf)? CVE, advisory and the like? Are there any distros which 
have restricted shell-execute with allowed epstopdf? miktex2.8, what 

I also didn't waste time today, here is the next part of the problems;)

1. In repstopdf, you protect dot-files on unix from overwriting but 
don't protect files in dot-directories, say .ssh/authorized_keys when 
run from ~ . 

Is it checked in tex when openout_any=r or openout_any=p?

2. repstopdf --nogs " ../file" (and ">../file") bypasses checks but 
you have already fixed it:-)

3. repstopdf implements openout_any=p but ignores openin_any. Having 
shell_escape=p (partially) and openin_any=p (paranoid) in texmf.cnf at 
the same time doesn't seem very eccentric.

4. In epstopdf.pl, the extension is removed from the name of input 
file by the following line:

  $OutputFilename =~ s/\.[^\.]*$//;

It should not span directory parts like in
./other/sub/dir/file_wo_extension .

The remaining items are only for the case of Windows.

5. In tex, special symbols in \write18 are not handled properly, so

      repstopdf input.eps & echo Pwned
      repstopdf input.eps | echo Pwned

works fine;-) Seems \write18 should be switched off entirely on 
Windows (short of fixing tex binaries).

6. When you have gswin32c.exe in current directory (could be written 
from tex) repstopdf calls it so any defense is defeated. Maybe there 
is a perl module to walk through %path% ...

7. The same for tex with repstopdf.bat AFAIR (don't have win at hand 
right now).

Alexander Cherepanov

More information about the tex-live mailing list