Is texmfstart secure?

To: debian-tex-maint@lists.debian.org
Subject: Is texmfstart secure?
From: Mike Bird <mgb@yosemite.net>
Date: Tue, 24 Oct 2006 21:08:53 -0700
Message-id: <[🔎] 200610242108.53489.mgb@yosemite.net>

Package: context 2006.08.08-0.4

If anyone who knows Ruby has time, can you tell if texmfstart is
secure?  I was really surprised to see client-server code.  Even
localhost services can lead to privilege escalation if not careful.
For example, /usr/share/texmf/scripts/context/ruby/texmfstart.rb
contains the following.  I'm not a Ruby programmer but the comment
leads me to think there is a potential problem here:

                # danger lurking
                buffer = ' ' * 260
                length = filemethod.call(filename,buffer,buffer.size)
                if length>0 then
                    return buffer.slice(0..length-1)

It looks like PRAGMA is trying to reinvent kpsewhich, integrate internet
explorer, launch editors, and do a whole bunch of other stuff I haven't
figured out.  texexec should be a simple wrapper around tex or pdftex
but it works via texmfstart.rb which is 2541 lines of Ruby - and that's
a lot of Ruby.  It may all be wonderful (I am not a Ruby programmer) but
it makes me nervous.

Is an older/simpler texexec still available?

--Mike Bird

Reply to:

Prev by Date: New texexec very confused
Next by Date: Re: SVN tex-common commit: r1895 - in tex-common/trunk: conf/texmf.d debian
Previous by thread: New texexec very confused
Next by thread: Context missing texfont.pl
Index(es):
- Date
- Thread