[tex-live] Graphics Inclusion Problem.
Heiko Oberdiek
heiko.oberdiek at googlemail.com
Tue Oct 19 16:33:59 CEST 2010
On Thu, Oct 14, 2010 at 09:47:52PM +0900, Norbert Preining wrote:
> On Do, 14 Okt 2010, Herbert Schulz wrote:
> > Given the file abc&def.eps if you compile the file
>
> Naming a file
> abc&def
> is a guarantee for problems, on all systems
>
> Those who want to shoot themselves dead by these actions are free
Apart from being a bug, the most important aspect is that this
is a serious security hole. Basically calls of "system" that
involves the shell should be replaced by code that scans the
command line for quotation and space to detect the arguments and
then calls "exec" without shell. (Of course the "code" shouldn't
repeated every time, but be a function call of a commonly used
library.)
Both TeX engines and DVI drivers should be reviewed in this
manner.
> Simple advise and solution: Just don't do it.
It's not enough to defeat malware.
Yours sincerely
Heiko Oberdiek
More information about the tex-live
mailing list