Bug#181065: marked as forwarded (tetex-base: dvips default output and security settings need clarification)

To: frank@kuesterei.ch (Frank Küster)
Cc: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Subject: Bug#181065: marked as forwarded (tetex-base: dvips default output and security settings need clarification)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 23 Apr 2004 06:18:14 -0700
Message-id: <[🔎] header.181065.F181065.108272568911699.ackfwdd@bugs.debian.org>
In-reply-to: <87r7ueyhvn.fsf@alhambra.bioz.unibas.ch>
References: <87r7ueyhvn.fsf@alhambra.bioz.unibas.ch> <200302150510.h1F5AjBG028354@beth.swift.xxx>

Your message dated Fri, 23 Apr 2004 14:54:20 +0200
with message-id <87r7ueyhvn.fsf@alhambra.bioz.unibas.ch>
has caused the Debian Bug report #181065,
regarding tetex-base: dvips default output and security settings need clarification
to be marked as having been forwarded to the upstream software
author(s) tex-k@mail.tug.org.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

---------------------------------------
Received: (at 181065-forwarded) by bugs.debian.org; 23 Apr 2004 13:08:09 +0000
>From frank@kuesterei.ch Fri Apr 23 06:08:08 2004
Return-path: <frank@kuesterei.ch>
Received: from balu1.urz.unibas.ch [131.152.1.51] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BH0PY-00032U-00; Fri, 23 Apr 2004 06:08:08 -0700
Received: from alhambra.bioz.unibas.ch (bioz6-allgem17.Bioz.unibas.ch [131.152.17.45])
	by balu1.urz.unibas.ch (8.12.10/8.12.10) with ESMTP id i3ND846G015803;
	Fri, 23 Apr 2004 15:08:04 +0200
Received: from localhost ([127.0.0.1] helo=alhambra.bioz.unibas.ch)
	by alhambra.bioz.unibas.ch with esmtp (Exim 3.35 #1 (Debian))
	id 1BH0CC-0008Ky-00; Fri, 23 Apr 2004 14:54:21 +0200
To: tex-k@mail.tug.org
Cc: Matthew Swift <swift@alum.mit.edu>, 181065-forwarded@bugs.debian.org
Subject: Re: tetex-base: dvips default output and security settings need
 clarification
From: frank@kuesterei.ch (=?iso-8859-1?q?Frank_K=FCster?=)
In-Reply-To: <200302150510.h1F5AjBG028354@beth.swift.xxx> (Matthew Swift's
 message of "Sat, 15 Feb 2003 00:10:45 -0500")
References: <200302150510.h1F5AjBG028354@beth.swift.xxx>
Date: Fri, 23 Apr 2004 14:54:20 +0200
Message-ID: <87r7ueyhvn.fsf@alhambra.bioz.unibas.ch>
User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Delivered-To: 181065-forwarded@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 1

Dear TeX-k Team,=20

here's an other suggestion from our Debian Bugtracking system, regarding
both documentation and a source code fix. As for the changes to
config.ps, I have attached a patch below, which you might find useful.

Regards, Frank

Matthew Swift <swift@alum.mit.edu> wrote:

> Package: tetex-base
> Version: 2.0-1
> Severity: normal
>
> There are several things to improve about the default output and default
> security settings of dvips.
>
> (1) Dvips.info (actually in tetex-bin not tetex-base) says this:
>
>     `-R'
>          Run securely.  This disables shell command execution in `\specia=
l'
>          (via ``', *note Dynamic creation of graphics::) and config files
>          (via the `E' option, *note Configuration file commands::), pipes=
 as
>          output files, and opening of any absolute filenames.
>
> But it is no longer true that setting -R (or in config file `z1') disables
> output to a pipe.  I also cannot find where in the sources the loading of
> absolute filenames is prohibited by secure=3D1, so that probably also sho=
uld be
> corrected -- either to implement it or to remove the claim that it is
> implemented.
>
> There is one exception, when __DJGPP__ is defined in output.c.  This is
> probably a bug that should be forwarded upstream out of courtesy, althoug=
h it
> does not affect Debian.  I think if secure=3D1 and __DJGPP__ is defined a=
nd
> output is sent to a pipe, the program will fail without any kind of error
> message.
>
> (2) The comments regarding `z*' and `o' in config.ps could be clearer.
>     Suggestions are below.  This was more of a problem before in the vers=
ion
>     before tetex-2.0.
>
> (3) Dvips.info documentation of the "o" configuration file option has a t=
ypo:
>
>     `o NAME'
>          Send output to NAME.  Same as `-', *note Option details::.  In t=
he
>          file `config.foo', a setting like this is probably appropriate:
>
> The should be `-o' not `-' in the second sentence.
>
> --------------------------
>
> In config.ps:
>
> Existing:
>
>     % Execution of external programs is disabled by default. Set
>     % to z0 if you want backticks in \special commands enabled.
>     z1
>
>     % How to print, maybe with lp instead lpr, etc. If commented-out, out=
put
>     % will go into a file by default.
>     % o |lpr
>
> What it should be (and this also exlains z* better):
>
>     % A setting of `z1' inhibits execution of shell commands in `\special=
's
>     % and via the `E' option in config files like this one.
>     % Dvips permits these operations by default or with an explit setting=
 of `z0'.
>     % Debian GNU/Linux inhibits these operations by default with the sett=
ing `z1' here.
>     z1
>
>     % Where dvips output should go by default.  If unspecified, output go=
es to a file.=20=20
>     % To send output via a pipe directly to a printing program such as `l=
pr',
>     % use a line like one of the following two:
>     % o |lpr
>     % o |lpr -Pmyprinter
>     % To send output to standard-output by default, use:
>     % o -
>

Here's the patch:

--- texmf/dvips/config/config.ps.orig	Fri Apr 23 14:29:36 2004
+++ texmf/dvips/config/config.ps	Fri Apr 23 14:31:20 2004
@@ -7,13 +7,19 @@
 % to determine this number. (It will be the only thing printed.)
 m 3500000
=20
-% Execution of external programs is disabled by default. Set
-% to z0 if you want backticks in \special commands enabled.
+% A setting of `z1' inhibits execution of shell commands in `\special's
+% and via the `E' option in config files like this one ("secure mode").
+% Dvips permits these operations by default or with an explit setting of `=
z0'.
+% Debian GNU/Linux inhibits these operations by default with the setting `=
z1' here.
 z1
=20
-% How to print, maybe with lp instead lpr, etc. If commented-out, output
-% will go into a file by default.
-o |lpr
+% Where dvips output should go by default.  If unspecified, output goes to=
 a file.=20=20
+% To send output via a pipe directly to a printing program such as `lpr' o=
r 'lp',
+% use a line like one of the following two:
+% o |lpr
+% o |lpr -Pmyprinter
+% To send output to standard-output by default, use:
+% o -
=20
 % Default resolution of this device, in dots per inch.
 D 600


--=20
Frank K=FCster, Biozentrum der Univ. Basel
Abt. Biophysikalische Chemie

Reply to:

Prev by Date: Bug#234550: missing mathpi support files
Next by Date: tetex-base_2.0.2-7_i386.changes ACCEPTED
Previous by thread: Processing of tetex-bin_2.0.2-13_i386.changes
Next by thread: tetex-base_2.0.2-7_i386.changes ACCEPTED
Index(es):
- Date
- Thread