Bug#181065: tetex-base: dvips default output and security settings need clarification

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#181065: tetex-base: dvips default output and security settings need clarification
From: Matthew Swift <swift@alum.mit.edu>
Date: Sat, 15 Feb 2003 00:10:45 -0500
Message-id: <[🔎] 200302150510.h1F5AjBG028354@beth.swift.xxx>
Reply-to: Matthew Swift <swift@alum.mit.edu>, 181065@bugs.debian.org

Package: tetex-base
Version: 2.0-1
Severity: normal

There are several things to improve about the default output and default
security settings of dvips.

(1) Dvips.info (actually in tetex-bin not tetex-base) says this:

    `-R'
         Run securely.  This disables shell command execution in `\special'
         (via ``', *note Dynamic creation of graphics::) and config files
         (via the `E' option, *note Configuration file commands::), pipes as
         output files, and opening of any absolute filenames.

But it is no longer true that setting -R (or in config file `z1') disables
output to a pipe.  I also cannot find where in the sources the loading of
absolute filenames is prohibited by secure=1, so that probably also should be
corrected -- either to implement it or to remove the claim that it is
implemented.

There is one exception, when __DJGPP__ is defined in output.c.  This is
probably a bug that should be forwarded upstream out of courtesy, although it
does not affect Debian.  I think if secure=1 and __DJGPP__ is defined and
output is sent to a pipe, the program will fail without any kind of error
message.

(2) The comments regarding `z*' and `o' in config.ps could be clearer.
    Suggestions are below.  This was more of a problem before in the version
    before tetex-2.0.

(3) Dvips.info documentation of the "o" configuration file option has a typo:

    `o NAME'
         Send output to NAME.  Same as `-', *note Option details::.  In the
         file `config.foo', a setting like this is probably appropriate:

The should be `-o' not `-' in the second sentence.

--------------------------

In config.ps:

Existing:

    % Execution of external programs is disabled by default. Set
    % to z0 if you want backticks in \special commands enabled.
    z1

    % How to print, maybe with lp instead lpr, etc. If commented-out, output
    % will go into a file by default.
    % o |lpr

What it should be (and this also exlains z* better):

    % A setting of `z1' inhibits execution of shell commands in `\special's
    % and via the `E' option in config files like this one.
    % Dvips permits these operations by default or with an explit setting of `z0'.
    % Debian GNU/Linux inhibits these operations by default with the setting `z1' here.
    z1

    % Where dvips output should go by default.  If unspecified, output goes to a file.  
    % To send output via a pipe directly to a printing program such as `lpr',
    % use a line like one of the following two:
    % o |lpr
    % o |lpr -Pmyprinter
    % To send output to standard-output by default, use:
    % o -



-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux beth 2.4.20 #1 Fri Jan 31 16:26:56 EST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages tetex-base depends on:
ii  debconf                       1.2.21     Debian configuration management sy
ii  dpkg                          1.10.9     Package maintenance system for Deb
ii  texinfo                       4.2-1      Documentation system for on-line i

-- debconf information excluded

Reply to:

Prev by Date: Bug#180665: more info
Next by Date: Re: Bug#181140: acknowledged by developer (Re: Bug#181140: dvipdfm: Can't remove package! )
Previous by thread: Bug#180665: more info
Next by thread: Re: Bug#181140: acknowledged by developer (Re: Bug#181140: dvipdfm: Can't remove package! )
Index(es):
- Date
- Thread