Is texmfstart secure?
Package: context 2006.08.08-0.4
If anyone who knows Ruby has time, can you tell if texmfstart is
secure? I was really surprised to see client-server code. Even
localhost services can lead to privilege escalation if not careful.
For example, /usr/share/texmf/scripts/context/ruby/texmfstart.rb
contains the following. I'm not a Ruby programmer but the comment
leads me to think there is a potential problem here:
# danger lurking
buffer = ' ' * 260
length = filemethod.call(filename,buffer,buffer.size)
if length>0 then
return buffer.slice(0..length-1)
It looks like PRAGMA is trying to reinvent kpsewhich, integrate internet
explorer, launch editors, and do a whole bunch of other stuff I haven't
figured out. texexec should be a simple wrapper around tex or pdftex
but it works via texmfstart.rb which is 2541 lines of Ruby - and that's
a lot of Ruby. It may all be wonderful (I am not a Ruby programmer) but
it makes me nervous.
Is an older/simpler texexec still available?
--Mike Bird
Reply to: