Bug#51586: Please Reopen 51586 ("secure" mode in dvips should be the default)
From: "Mark
Subject: Bug#51586:
Date: Fri,
> This is a *security* issue, not a wishlist request. It is also
> reasonable for it to be fixed in a debian-specific manner.
>
> > At least if the user never encountered the real problem
> > then this would be not a bug at all.
>
> If a user *ever* encounters this as a problem, it is too late, because
> it will be a CERT advisory and not just a bug report anymore...
I might think the report too simple but do you really
know that dvips without "-R" has *security* problem?
I know very little about security problem but I wonder if it is
so unsecure that dvips can execute shell commands only through
\special.
And dvips will lost useful features, Dynamic creation of PostScript
graphics files for example.
I think I can not judge if this is so serious or not. Please
explain more if you think this is really serious security problem.
By the way it is described in dvips info like follows;
Dynamic creation of PostScript graphics files
---------------------------------------------
(snip)
or whatever is appropriate. This feature can be disabled with the `-R'
command-line option or `R' configuration option.
This "`R' configuration option." is really so??
Thanks in advance, 2000.5.20
--
Debian JP Developer - much more I18N of Debian
Atsuhito Kohda <kohda@pm.tokushima-u.ac.jp>
Department of Math., Tokushima Univ.
Reply to: