Bug#51586: Please Reopen 51586 ("secure" mode in dvips should be the default)
I hope you don't mind my bringing this to the attention of a wider
audience (security@debian.org in particular), I think they might have
more clear arguments as to why dvips -R should be the default (or not,
and if not, they're probably more likely to convince me to drop the
issue :-)
> By the way it is described in dvips info like follows; ...
> or whatever is appropriate. This feature can be disabled with the `-R'
> command-line option or `R' configuration option.
When I submitted the report, I think the configuration option was new,
and the place I'd heard about the issue had actually changed the
code. Changing the debian version of the config file is probably
a reasonable approach. I don't recall if I'd checked the redhat
installation at the time for comparison.
> I know very little about security problem but I wonder if it is
> so unsecure that dvips can execute shell commands only through
> \special.
It means that if I send someone a DVI file, and they view it with xdvi
it looks ok (because xdvi ignores most \specials) but if I have a
\special that says "rm -rf $HOME", and they go to print it, kaboom.
I was going to suggest that "even worse, suppose that they're using
magicfilter, and just lpr foo.dvi, and magicfilter runs the \special
and does damage" except that I just looked at the magicfilter dvi
lines, and guess what:
# TeX DVI
0 \367\002 fpipe /usr/bin/dvips -D 1440 -R -q -f
ie. the magicfilter maintainer already forces -R, probably for this
very reason - so you can not use dvips to compromise lpr/magicfilter.
I'd much rather users be protected themselves as well; if you're sure
you're getting the dvi from a trusted source you can override it
yourself.
_Mark_ <eichin@thok.org>
The Herd of Kittens
Debian Package Maintainer
Reply to: