Bug#316154: texmf.cfg: Close possible security problem
Package: tetex-bin
Version: 2.0.2-30
Severity: normal
Hi,
the shipped /etc/texmf/texmf.cfg has the following lines:
openout_any = p
openin_any = a
While the first line is so far ok, the second line means, that any LaTeX
code run on this machine has read-access like the user it runs as, that
includes /etc/passwd, ~/.ssh/id_rsa, ~/other_sensitive_file.
This by itself is no problem, but it is actually quite easy to make a
user compile mal LaTeX code and make him send you the file before he has
a look at it or, using some TeX-magick, make the read text not visible
(white on white, or very small...).
This is also a problem for i.e. webservices, that include LaTeX
capabilities.
Changeing the line to
openin_any = p
solves this problem.
Thanks,
Joachim
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.10.otto
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages tetex-bin depends on:
ii debconf 1.4.51 Debian configuration management sy
ii debianutils 2.14.1 Miscellaneous utilities specific t
ii dpkg 1.13.9 Package maintenance system for Deb
ii ed 0.2-20 The classic unix line editor
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libgcc1 1:4.0.0-11 GCC support library
ii libice6 4.3.0.dfsg.1-14 Inter-Client Exchange library
ii libkpathsea3 2.0.2-30 path search library for teTeX (run
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsm6 4.3.0.dfsg.1-14 X Window System Session Management
ii libstdc++5 1:3.3.6-7 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library - r
ii libwww0 5.4.0-9 The W3C WWW library
ii libx11-6 4.3.0.dfsg.1-14 X Window System protocol client li
ii libxaw7 4.3.0.dfsg.1-14 X Athena widget set library
ii libxext6 4.3.0.dfsg.1-14 X Window System miscellaneous exte
ii libxmu6 4.3.0.dfsg.1-14 X Window System miscellaneous util
ii libxt6 4.3.0.dfsg.1-14 X Toolkit Intrinsics
ii mime-support 3.34-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.7-3 Larry Wall's Practical Extraction
ii sed 4.1.4-2 The GNU sed stream editor
ii tetex-base 2.0.2c-8 Basic library files of teTeX
ii ucf 1.18 Update Configuration File: preserv
ii xlibs 4.3.0.dfsg.1-14 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
Versions of packages tetex-bin recommends:
ii perl-tk 1:800.025-2 Perl module providing the Tk graph
ii psutils 1.17-17 A collection of PostScript documen
pn texi2html <none> (no description available)
ii whiptail 0.51.6-26 Displays user-friendly dialog boxe
-- debconf information:
tetex-bin/upd_map: true
tetex-bin/cnf_name:
tetex-bin/fmtutil: true
tetex-bin/fmtutil-failed:
tetex-bin/userperm: false
tetex-bin/updmap-failed:
tetex-bin/hyphen: french[=patois], ngerman[=naustrian-neue_Rechtschreibung]
tetex-bin/oldcfg: true
tetex-bin/use_debconf: false
tetex-bin/groupname: users
tetex-bin/groupperm: true
tetex-bin/lsr-perms: true
Reply to: