[texhax] security issues

Victor Ivrii vivrii at gmail.com
Fri Jul 23 14:07:14 CEST 2010

On Fri, Jul 23, 2010 at 7:31 AM, James Quirk <jjq at galcit.caltech.edu> wrote:
> Victor,
> On Fri, 23 Jul 2010, Victor Ivrii wrote:
>> On Fri, Jul 23, 2010 at 4:49 AM, Uwe Lueck <uwe.lueck at web.de> wrote:
>> > Hi folks,
>> >
>> > to my astonishment, I find security warnings touching TeX in the German Linux Magazine:
>> >
>> > BibTeX:
>> >    http://www.securityfocus.com/bid/34332
> I'm not sure why you're astonished.

James, it is not me but the original poster.

> For many of the security warnings
> arise from buffer overflows and the like that can afflict any non-trivial
> piece of software, whatever the application. While I can't claim to be a
> computer security expert, I am acknowledged in Adobe's last two
> security advisories for problems I stumbled across while using pdftex.
> So you could say I just know enough to be dangerous. :-)
> Here it's also worth bearing in mind the paper by Checkoway et al:
> http://cseweb.ucsd.edu/~scheckow/papers/tex2010.html
> which discusses how TeX input files can be abused in a variety of ways.

It is interesting, albeit with --shell-escape exploit would be trivial

>> Xpdf is not part of TeX and I believe the latest security issue was
> This statement is not true as pdftex 1.40.x is built using Xpdf. On my
> machine, pdftex -v reports: Compiled with xpdf version 3.01


Compiled with xpdf version 3.02pl4

 which means ALL up-to-date security patches. Sure older versions do
not have them

>> addressed by pl4 patch. BTW in many distributions xpdf is replaced by
>> kpdf (not sure about security issues)
> Kpdf is similarly built using Xpdf. Thus the bottom line: some
> vulnerabilities in Xpdf and its dependent libraries, such as libpng,

Which versions?

> *do*
> taint pdftex, Kpdf and a slew of other application. Although personally I
> am not going to lose any sleep over it. In fact, one can sometimes
> exploit software weaknesses for a positive end.
> As a case in point, if there are any OSX users of R, drop me a line
> and I'll send you a PDF which runs an R session directly in a
> pdftex-generated PDF.

> James

Victor Ivrii, Professor, Department of Mathematics, University of Toronto

More information about the texhax mailing list