Re: forwarded message from Jeff Licquia
On Tue, Jul 16, 2002 at 11:51:35PM -0400, Boris Veytsman wrote:
> I am afraid the ignorance is truly mutual.
>
> I was amused by the suggestion that a LaTeX macro might cause a
> security problem and thus need a fix by Debian team. This is about as
> possible as a security problem from the Bible text in bible-kjv-text.
I'm not amused by this suggestion. I'm dead serious.
I see that ctan.tug.org, the US mirror where you recommend
people get their LaTeX packages is running WU-FTPD.
220 alan.smcvt.edu FTP server (Version wu-2.6.1-0.6x.21) ready.
This FTP daemon is known in the security industry as being less
than secure.[1] See: http://www.cert.org/advisories/CA-2001-33.html
If you recall the latest configure script hijacking of
fragroute, dsniff, and fragrouter, you will note that malicious
attackers can seize a server and replace the "official" files with
modified ones (that don't respect the LPPL.)
I can imagine latex.ltx containing a couple extra
\openin15=.ssh/identity , \openin15=.gnupg/secring.gpg and
\openout15=.shrc commands[2] as put there by someone who has cracked an
FTP server. Please don't laugh or scoff at this "remote possibility,"
just because you guys haven't seen this happen before, doesn't mean it
can't happen.
Simon
[1] Please note that I have no intention of doing any penetration
testing on this machine to see if it vulnerable to any attacks.
Caveat sysadmin.
[2] Warning, I am not a true TeXnician, so my syntax may be
rusty/completely wrong. But I know that TeX (and therefore LaTeX)
has filesystem access.
--
To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: