Bug#181065: marked as done (tetex-base: dvips default output and security settings need clarification)

To: Frank Küster <frank@debian.org>
Cc: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Subject: Bug#181065: marked as done (tetex-base: dvips default output and security settings need clarification)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 28 Apr 2004 08:48:06 -0700
Message-id: <[🔎] handler.181065.D181065.108316671022373.ackdone@bugs.debian.org>
In-reply-to: <E1BIr3G-0003bV-00@newraff.debian.org>
References: <E1BIr3G-0003bV-00@newraff.debian.org> <200302150510.h1F5AjBG028354@beth.swift.xxx>

Your message dated Wed, 28 Apr 2004 11:32:46 -0400
with message-id <E1BIr3G-0003bV-00@newraff.debian.org>
and subject line Bug#181065: fixed in tetex-base 2.0.2-8
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Feb 2003 05:10:58 +0000
>From swift@alum.mit.edu Fri Feb 14 23:10:58 2003
Return-path: <swift@alum.mit.edu>
Received: from pool-68-160-54-133.bos.east.verizon.net (beth.swift.xxx) [68.160.54.133] (root)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 18jubI-0004Z8-00; Fri, 14 Feb 2003 23:10:56 -0600
Received: from beth.swift.xxx (swift@localhost [127.0.0.1])
	by beth.swift.xxx (8.12.6/8.12.6/Debian-8) with ESMTP id h1F5AjBG028354;
	Sat, 15 Feb 2003 00:10:45 -0500
Message-Id: <200302150510.h1F5AjBG028354@beth.swift.xxx>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Matthew Swift <swift@alum.mit.edu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tetex-base: dvips default output and security settings need
	clarification
X-Mailer: reportbug 2.9
Date: Sat, 15 Feb 2003 00:10:45 -0500
X-Mailscanner: clean	(beth.swift.xxx)
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=0.7 required=4.0
	tests=HAS_PACKAGE,MSG_ID_ADDED_BY_MTA_3,SPAM_PHRASE_00_01
	version=2.44
X-Spam-Level: 

Package: tetex-base
Version: 2.0-1
Severity: normal

There are several things to improve about the default output and default
security settings of dvips.

(1) Dvips.info (actually in tetex-bin not tetex-base) says this:

    `-R'
         Run securely.  This disables shell command execution in `\special'
         (via ``', *note Dynamic creation of graphics::) and config files
         (via the `E' option, *note Configuration file commands::), pipes as
         output files, and opening of any absolute filenames.

But it is no longer true that setting -R (or in config file `z1') disables
output to a pipe.  I also cannot find where in the sources the loading of
absolute filenames is prohibited by secure=1, so that probably also should be
corrected -- either to implement it or to remove the claim that it is
implemented.

There is one exception, when __DJGPP__ is defined in output.c.  This is
probably a bug that should be forwarded upstream out of courtesy, although it
does not affect Debian.  I think if secure=1 and __DJGPP__ is defined and
output is sent to a pipe, the program will fail without any kind of error
message.

(2) The comments regarding `z*' and `o' in config.ps could be clearer.
    Suggestions are below.  This was more of a problem before in the version
    before tetex-2.0.

(3) Dvips.info documentation of the "o" configuration file option has a typo:

    `o NAME'
         Send output to NAME.  Same as `-', *note Option details::.  In the
         file `config.foo', a setting like this is probably appropriate:

The should be `-o' not `-' in the second sentence.

--------------------------

In config.ps:

Existing:

    % Execution of external programs is disabled by default. Set
    % to z0 if you want backticks in \special commands enabled.
    z1

    % How to print, maybe with lp instead lpr, etc. If commented-out, output
    % will go into a file by default.
    % o |lpr

What it should be (and this also exlains z* better):

    % A setting of `z1' inhibits execution of shell commands in `\special's
    % and via the `E' option in config files like this one.
    % Dvips permits these operations by default or with an explit setting of `z0'.
    % Debian GNU/Linux inhibits these operations by default with the setting `z1' here.
    z1

    % Where dvips output should go by default.  If unspecified, output goes to a file.  
    % To send output via a pipe directly to a printing program such as `lpr',
    % use a line like one of the following two:
    % o |lpr
    % o |lpr -Pmyprinter
    % To send output to standard-output by default, use:
    % o -



-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux beth 2.4.20 #1 Fri Jan 31 16:26:56 EST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages tetex-base depends on:
ii  debconf                       1.2.21     Debian configuration management sy
ii  dpkg                          1.10.9     Package maintenance system for Deb
ii  texinfo                       4.2-1      Documentation system for on-line i

-- debconf information excluded


---------------------------------------
Received: (at 181065-close) by bugs.debian.org; 28 Apr 2004 15:38:30 +0000
>From katie@ftp-master.debian.org Wed Apr 28 08:38:30 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BIr8o-0005oc-00; Wed, 28 Apr 2004 08:38:30 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1BIr3G-0003bV-00; Wed, 28 Apr 2004 11:32:46 -0400
From: =?utf-8?q?Frank_K=C3=BCster?= <frank@debian.org>
To: 181065-close@bugs.debian.org
X-Katie: $Revision: 1.49 $
Subject: Bug#181065: fixed in tetex-base 2.0.2-8
Message-Id: <E1BIr3G-0003bV-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Wed, 28 Apr 2004 11:32:46 -0400
Delivered-To: 181065-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 3

Source: tetex-base
Source-Version: 2.0.2-8

We believe that the bug you reported is fixed in the latest version of
tetex-base, which is due to be installed in the Debian FTP archive:

tetex-base_2.0.2-8.diff.gz
  to pool/main/t/tetex-base/tetex-base_2.0.2-8.diff.gz
tetex-base_2.0.2-8.dsc
  to pool/main/t/tetex-base/tetex-base_2.0.2-8.dsc
tetex-base_2.0.2-8_all.deb
  to pool/main/t/tetex-base/tetex-base_2.0.2-8_all.deb
tetex-doc_2.0.2-8_all.deb
  to pool/main/t/tetex-base/tetex-doc_2.0.2-8_all.deb
tetex-extra_2.0.2-8_all.deb
  to pool/main/t/tetex-base/tetex-extra_2.0.2-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 181065@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank KÃ¼ster <frank@debian.org> (supplier of updated tetex-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Apr 2004 15:21:25 +0200
Source: tetex-base
Binary: tetex-extra tetex-doc tetex-base
Architecture: source all
Version: 2.0.2-8
Distribution: unstable
Urgency: low
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Frank KÃ¼ster <frank@debian.org>
Description: 
 tetex-base - Basic library files of teTeX
 tetex-doc  - The documentation component of the Debian teTeX packages
 tetex-extra - Additional library files of teTeX
Closes: 148216 158352 181065 245502 246318
Changes: 
 tetex-base (2.0.2-8) unstable; urgency=low
 .
   * Fix links to compressed files in helpindex.html and newhelpindex.html,
     thanks to Hannu Koivisto <azure@iki.fi> (closes: #158352) [frank]
   * Remove empty directories in /usr/share/doc/texmf/ from tetex-base
     (closes: #148216) [frank]
   * Add dependency on ucf (closes: #245502)
   * Even better description of options in config.ps, thanks to Matthew
     Swift <swift@alum.mit.edu> (closes: #181065) [frank]
   * Corrected directory for reportbug scripts (thanks to "Mario
     'BitKoenig' Holbe" <Mario.Holbe@RZ.TU-Ilmenau.DE>) (closes: #246318)
     [frank]
Files: 
 0738889250618d60fa5b7b7f319f00d6 846 tex optional tetex-base_2.0.2-8.dsc
 a78441ce69cec454d97b14389479a066 138899 tex optional tetex-base_2.0.2-8.diff.gz
 4c853c28fd48a8f66f7d6e8939ea99e8 14300530 tex optional tetex-base_2.0.2-8_all.deb
 d158122451e7059a867edba6889b24d3 10512134 tex optional tetex-extra_2.0.2-8_all.deb
 69e495de70f70bde49592b2d394631c5 27494582 doc optional tetex-doc_2.0.2-8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAj8G6+xs9YyJS+hoRAhEUAJ4wb+TcLJrOIa02EYWyA8SsShU9IwCfct81
Y8tts/scZ6p1s9170a9kwWg=
=tLd8
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Bug#148216: marked as done (documentation for latex: something other than empty directories)
Next by Date: Bug#246318: marked as done (tetex-{base,extra}: /usr/share/bugs is probably wrong)
Previous by thread: Bug#148216: marked as done (documentation for latex: something other than empty directories)
Next by thread: Symantec AntiVirus/Filtering for Domino detected a virus in a document you authored.
Index(es):
- Date
- Thread