Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging

To: Frank Küster <frank@kuesterei.ch>, 390349@bugs.debian.org
Cc: Thiemo Seufer <ths@networkno.de>, Steve Langasek <vorlon@netexpress.net>, Julian Gilbey <jdg@polya.uklinux.net>
Subject: Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
From: Ralf Stubner <ralf.stubner@web.de>
Date: Mon, 2 Oct 2006 10:52:51 +0200
Message-id: <[🔎] 20061002085251.GF4508@thinkpad>
Reply-to: Ralf Stubner <ralf.stubner@web.de>, 390349@bugs.debian.org
In-reply-to: <[🔎] 86wt7jl07i.fsf@alhambra.kuesterei.ch>
References: <20060930160554.GB30302@networkno.de> <861wptp9m0.fsf@alhambra.kuesterei.ch> <20060930171240.GC30302@networkno.de> <20060930181922.GC4508@thinkpad> <[🔎] 20061001001005.GF11662@mauritius.dodds.net> <[🔎] 86sli8dwwx.fsf@alhambra.kuesterei.ch> <[🔎] 20061001164553.GD4508@thinkpad> <[🔎] 86wt7jdf33.fsf@alhambra.kuesterei.ch> <[🔎] 20061001205712.GE4508@thinkpad> <[🔎] 86wt7jl07i.fsf@alhambra.kuesterei.ch>

On Mon, Oct 02, 2006 at 08:07 +0200, Frank Küster wrote:
> 
> Okay, you are right, indeed this check is already done.  So we could
> gain some additional security by making sure that the SYSTEXMF variable
> is not set in the user environment, but only read from the system-wide
> texmf.cnf. 

That's non-trivial, though, since the user can alter SYSTEXMF not only
via an environment variable but also via a personal texmf.cnf file. And
*all* texmf.cnf files that are found will be read. Getting the personal
file found could be achieved by setting TEXMFCNF or placing a copy of
kpsewhich in HOME/bin, so that HOME/texmf/web2c/texmf.cnf would get
found via the SELFAUTOPARENT feature. So besides SYSTEXMF one would also
have to control TEXMFCNF and PATH.

One could also try to extract SYSTEXMF from the systemwide texmf.cnf
file and set an appropriate environment variable, since that would take
precedence. But one would have to define that in terms of actual
directories, not variables like TEXMFMAIN etc, since a malicious user
could redefine those, too.

Given all these possibilities, I am quite happy that the possbile
threats are not that serious ... 

cheerio
ralf

Reply to:

References:
- Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
  - From: Steve Langasek <vorlon@debian.org>
- Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
  - From: Frank Küster <frank@kuesterei.ch>
- Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
  - From: Ralf Stubner <ralf.stubner@web.de>
- Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
  - From: Frank Küster <frank@kuesterei.ch>
- Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
  - From: Ralf Stubner <ralf.stubner@web.de>
- Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
  - From: Frank Küster <frank@kuesterei.ch>

Prev by Date: Bug#354008: marked as done (debian/templates should be generated from a templates.in file to automatically get the right octal mode for the cache directories)
Next by Date: intent to do a poppler transition
Previous by thread: Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
Next by thread: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
Index(es):
- Date
- Thread