[tex-live] ConTeXt in TL on Windows broken

Reinhard Kotucha reinhard.kotucha at web.de
Tue Jun 1 20:52:11 CEST 2010


On 1 June 2010 Taco Hoekwater wrote:

 > T T wrote:
 > > 
 > >> Is Context /really/ that bad/dangerous ?!
 > > 
 > > If an attacker would place a rogue texlua.exe in the current directory
 > > (not that hard on windows), then you get arbitrary code execution if
 > > you pick up executables from there.  Is that bad enough?
 > 
 > But wouldn't they have to place 'our' mtxrun.dll in the current
 > directory as well then? Doesn't sound very likely to me.

No, I assume that a "texlua.exe" prepared by an attacker only needs
msvcrt.dll.  The latter provides everything needed in order to give
you more free disk space.

But I think this is not Context related.  It's a Windows problem which
cannot be solved.  If someone places a rogue texlua.exe in your
current working directory, you are lost.  ... Or at least your files.

Regards,
  Reinhard

-- 
----------------------------------------------------------------------------
Reinhard Kotucha			              Phone: +49-511-3373112
Marschnerstr. 25
D-30167 Hannover	                      mailto:reinhard.kotucha at web.de
----------------------------------------------------------------------------
Microsoft isn't the answer. Microsoft is the question, and the answer is NO.
----------------------------------------------------------------------------


More information about the tex-live mailing list