Bug#392586: tetex-bin: Insecure $ENV{PATH} while running setuid at /usr/bin/epstopdf line 211.

[Ralf Stubner <ralf.stubner@physik.uni-erlangen.de>]

Dr. Tilo Levante wrote:
> Package: tetex-bin
> Version: 3.0-19
> Severity: normal
> 
> 
> I use epstopdf in a setuid script (backend for cups, needs access to 
> some directories), and get the error above.
> 
> Solution was to add the line
> $ENV{"PATH"}    = "/usr/bin:/usr/sbin:/bin:/usr/bin";
> in /usr/bin/epstopdf.

Do I understand you correctly that you are calling epstopdf from some
other program? I don't understand why it should be epstopdf's business
to care for a secure environment then. After all, epstopdf is a program
for general use and I might want to use it with a ghostscript binary
outside the above list of directories. This would be needlessly
difficult after such a change. IMO the calling program should set up
PATH in a secure way.

cheerio
ralf