Bug#164820: Patch from redhat
And this is the patch redhat used to fix this hole...
(from the package tetex-1.0.6-11.3.src.rpm)
It applies cleanly to tetex-bin_1.0.7+20011202-8. Did not try try to
compile, though.
Jan
--- teTeX-src-beta-20020207/texk/kpathsea/tex-make.c.security Tue Jan 26 21:31:23 1999
+++ teTeX-src-beta-20020207/texk/kpathsea/tex-make.c Tue Sep 3 12:07:34 2002
@@ -138,14 +138,6 @@
int save_stderr = -1;
#endif
- /* If the user snuck `backquotes` or $(command) substitutions into the
- name, foil them. */
- for (i = 0; i < strlen (cmd); i++) {
- if (cmd[i] == '`' || (cmd[i] == '$' && cmd[i+1] == '(')) {
- cmd[i] = '#';
- }
- }
-
/* Tell the user we are running the script, so they have a clue as to
what's going on if something messes up. But if they asked to
discard output, they probably don't want to see this, either. */
@@ -259,10 +251,31 @@
string args, cmd;
const_string prog = spec.program;
const_string arg_spec = spec.program_args;
+ unsigned int i;
if (format <= kpse_any_glyph_format)
set_maketex_mag ();
+ /* If the user snuck `backquotes` or $(command) substitutions etc
+ into the name, foil them.
+ Thwart ../ in file names too.
+ */
+ for (i = 0; i < strlen (base); i++) {
+ char c = base[i];
+
+ if (c == '.' && base[i+1] == '.' && base[i+2] == '/') {
+ base[i] = base[i+1] = '_';
+ continue;
+ }
+
+ if (('A' <= c && c <= 'Z')
+ || ('a' <= c && c <= 'z')
+ || ('0' <= c && c <= '9')
+ || strchr("_-.", c))
+ continue;
+ base[i] = '#';
+ }
+
/* Here's an awful kludge: if the mode is `/', mktexpk recognizes
it as a special case. `kpse_prog_init' sets it to this in the
first place when no mode is otherwise specified; this is so
Reply to: