[tex-live] Status of restricted \write18 and epstopdf conversion
Alexander Cherepanov
cherepan at mccme.ru
Mon Oct 19 02:04:27 CEST 2009
Hi Manuel!
On Sun, 18 Oct 2009 23:12:13 +0200, Manuel Pégourié-Gonnard <mpg at elzevir.fr> wrote:
>> This is also not that easy but you seem to manage it (just received
>> your next mail), nice. Will look into the new version now.
> It is actually very easy on Unix, the only problem being with windows.
> I'm looking forward to hearing your comments on the new version.
All mentioned problems are solved. So, do you consider it a security
bug (shell injection in epstopdf and/or directory traverse in
repstopdf)? CVE, advisory and the like? Are there any distros which
have restricted shell-execute with allowed epstopdf? miktex2.8, what
else?
I also didn't waste time today, here is the next part of the problems;)
1. In repstopdf, you protect dot-files on unix from overwriting but
don't protect files in dot-directories, say .ssh/authorized_keys when
run from ~ .
Is it checked in tex when openout_any=r or openout_any=p?
2. repstopdf --nogs " ../file" (and ">../file") bypasses checks but
you have already fixed it:-)
3. repstopdf implements openout_any=p but ignores openin_any. Having
shell_escape=p (partially) and openin_any=p (paranoid) in texmf.cnf at
the same time doesn't seem very eccentric.
4. In epstopdf.pl, the extension is removed from the name of input
file by the following line:
$OutputFilename =~ s/\.[^\.]*$//;
It should not span directory parts like in
./other/sub/dir/file_wo_extension .
The remaining items are only for the case of Windows.
5. In tex, special symbols in \write18 are not handled properly, so
repstopdf input.eps & echo Pwned
repstopdf input.eps | echo Pwned
works fine;-) Seems \write18 should be switched off entirely on
Windows (short of fixing tex binaries).
6. When you have gswin32c.exe in current directory (could be written
from tex) repstopdf calls it so any defense is defeated. Maybe there
is a perl module to walk through %path% ...
7. The same for tex with repstopdf.bat AFAIR (don't have win at hand
right now).
Alexander Cherepanov
More information about the tex-live
mailing list