Bug#51586: Please Reopen 51586 ("secure" mode in dvips should be the default)

[eichin@thok.org (Mark W. Eichin)]

I hope you don't mind my bringing this to the attention of a wider
audience (security@debian.org in particular), I think they might have
more clear arguments as to why dvips -R should be the default (or not,
and if not, they're probably more likely to convince me to drop the
issue :-)

> By the way it is described in dvips info like follows; ...
> or whatever is appropriate.  This feature can be disabled with the `-R'
> command-line option or `R' configuration option.

When I submitted the report, I think the configuration option was new,
and the place I'd heard about the issue had actually changed the
code.  Changing the debian version of the config file is probably
a reasonable approach.  I don't recall if I'd checked the redhat
installation at the time for comparison.

> I know very little about security problem but I wonder if it is
> so unsecure that dvips can execute shell commands only through 
> \special.

It means that if I send someone a DVI file, and they view it with xdvi
it looks ok (because xdvi ignores most \specials) but if I have a
\special that says "rm -rf $HOME", and they go to print it, kaboom.

I was going to suggest that "even worse, suppose that they're using
magicfilter, and just lpr foo.dvi, and magicfilter runs the \special
and does damage" except that I just looked at the magicfilter dvi
lines, and guess what:

# TeX DVI
0	\367\002	fpipe	/usr/bin/dvips  -D 1440  -R -q -f 

ie. the magicfilter maintainer already forces -R, probably for this
very reason - so you can not use dvips to compromise lpr/magicfilter.
I'd much rather users be protected themselves as well; if you're sure
you're getting the dvi from a trusted source you can override it
yourself.
			_Mark_ <eichin@thok.org>
			The Herd of Kittens
			Debian Package Maintainer