[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#316154: texmf.cfg: Close possible security problem

Package: tetex-bin
Version: 2.0.2-30
Severity: normal

Hi,

the shipped /etc/texmf/texmf.cfg has the following lines:

openout_any = p
openin_any = a

While the first line is so far ok, the second line means, that any LaTeX
code run on this machine has read-access like the user it runs as, that
includes /etc/passwd, ~/.ssh/id_rsa, ~/other_sensitive_file.

This by itself is no problem, but it is actually quite easy to make a
user compile mal LaTeX code and make him send you the file before he has
a look at it or, using some TeX-magick, make the read text not visible
(white on white, or very small...).

This is also a problem for i.e. webservices, that include LaTeX
capabilities.

Changeing the line to
openin_any = p
solves this problem.

Thanks,
Joachim


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.10.otto
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages tetex-bin depends on:
ii  debconf                  1.4.51          Debian configuration management sy
ii  debianutils              2.14.1          Miscellaneous utilities specific t
ii  dpkg                     1.13.9          Package maintenance system for Deb
ii  ed                       0.2-20          The classic unix line editor
ii  libc6                    2.3.2.ds1-22    GNU C Library: Shared libraries an
ii  libgcc1                  1:4.0.0-11      GCC support library
ii  libice6                  4.3.0.dfsg.1-14 Inter-Client Exchange library
ii  libkpathsea3             2.0.2-30        path search library for teTeX (run
ii  libpaper1                1.1.14-3        Library for handling paper charact
ii  libpng12-0               1.2.8rel-1      PNG library - runtime
ii  libsm6                   4.3.0.dfsg.1-14 X Window System Session Management
ii  libstdc++5               1:3.3.6-7       The GNU Standard C++ Library v3
ii  libt1-5                  5.0.2-3         Type 1 font rasterizer library - r
ii  libwww0                  5.4.0-9         The W3C WWW library
ii  libx11-6                 4.3.0.dfsg.1-14 X Window System protocol client li
ii  libxaw7                  4.3.0.dfsg.1-14 X Athena widget set library
ii  libxext6                 4.3.0.dfsg.1-14 X Window System miscellaneous exte
ii  libxmu6                  4.3.0.dfsg.1-14 X Window System miscellaneous util
ii  libxt6                   4.3.0.dfsg.1-14 X Toolkit Intrinsics
ii  mime-support             3.34-1          MIME files 'mime.types' & 'mailcap
ii  perl                     5.8.7-3         Larry Wall's Practical Extraction 
ii  sed                      4.1.4-2         The GNU sed stream editor
ii  tetex-base               2.0.2c-8        Basic library files of teTeX
ii  ucf                      1.18            Update Configuration File: preserv
ii  xlibs                    4.3.0.dfsg.1-14 X Keyboard Extension (XKB) configu
ii  zlib1g                   1:1.2.2-4       compression library - runtime

Versions of packages tetex-bin recommends:
ii  perl-tk                      1:800.025-2 Perl module providing the Tk graph
ii  psutils                      1.17-17     A collection of PostScript documen
pn  texi2html                    <none>      (no description available)
ii  whiptail                     0.51.6-26   Displays user-friendly dialog boxe

-- debconf information:
  tetex-bin/upd_map: true
  tetex-bin/cnf_name:
  tetex-bin/fmtutil: true
  tetex-bin/fmtutil-failed:
  tetex-bin/userperm: false
  tetex-bin/updmap-failed:
  tetex-bin/hyphen: french[=patois], ngerman[=naustrian-neue_Rechtschreibung]
  tetex-bin/oldcfg: true
  tetex-bin/use_debconf: false
  tetex-bin/groupname: users
  tetex-bin/groupperm: true
  tetex-bin/lsr-perms: true
Reply to: