Bug#316154: marked as done (texmf.cfg: Close possible security problem)

To: Hilmar Preusse <hille42@web.de>
Subject: Bug#316154: marked as done (texmf.cfg: Close possible security problem)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 28 Dec 2009 15:33:15 +0000
Message-id: <[🔎] handler.316154.D316154.126201419419305.ackdone@bugs.debian.org>
References: <20091228152939.GA748@PC23> <E1DnMKa-0004ch-E0@localhost.localdomain>

Your message dated Mon, 28 Dec 2009 16:29:39 +0100
with message-id <20091228152939.GA748@PC23>
and subject line Re: texmf.cfg: Close possible security problem
has caused the Debian Bug report #316154,
regarding texmf.cfg: Close possible security problem
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
316154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=316154
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: texmf.cfg: Close possible security problem
From: Joachim Breitner <nomeata@debian.org>
Date: Tue, 28 Jun 2005 22:05:16 +0200
Message-id: <E1DnMKa-0004ch-E0@localhost.localdomain>

Package: tetex-bin
Version: 2.0.2-30
Severity: normal

Hi,

the shipped /etc/texmf/texmf.cfg has the following lines:

openout_any = p
openin_any = a

While the first line is so far ok, the second line means, that any LaTeX
code run on this machine has read-access like the user it runs as, that
includes /etc/passwd, ~/.ssh/id_rsa, ~/other_sensitive_file.

This by itself is no problem, but it is actually quite easy to make a
user compile mal LaTeX code and make him send you the file before he has
a look at it or, using some TeX-magick, make the read text not visible
(white on white, or very small...).

This is also a problem for i.e. webservices, that include LaTeX
capabilities.

Changeing the line to
openin_any = p
solves this problem.

Thanks,
Joachim


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.10.otto
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages tetex-bin depends on:
ii  debconf                  1.4.51          Debian configuration management sy
ii  debianutils              2.14.1          Miscellaneous utilities specific t
ii  dpkg                     1.13.9          Package maintenance system for Deb
ii  ed                       0.2-20          The classic unix line editor
ii  libc6                    2.3.2.ds1-22    GNU C Library: Shared libraries an
ii  libgcc1                  1:4.0.0-11      GCC support library
ii  libice6                  4.3.0.dfsg.1-14 Inter-Client Exchange library
ii  libkpathsea3             2.0.2-30        path search library for teTeX (run
ii  libpaper1                1.1.14-3        Library for handling paper charact
ii  libpng12-0               1.2.8rel-1      PNG library - runtime
ii  libsm6                   4.3.0.dfsg.1-14 X Window System Session Management
ii  libstdc++5               1:3.3.6-7       The GNU Standard C++ Library v3
ii  libt1-5                  5.0.2-3         Type 1 font rasterizer library - r
ii  libwww0                  5.4.0-9         The W3C WWW library
ii  libx11-6                 4.3.0.dfsg.1-14 X Window System protocol client li
ii  libxaw7                  4.3.0.dfsg.1-14 X Athena widget set library
ii  libxext6                 4.3.0.dfsg.1-14 X Window System miscellaneous exte
ii  libxmu6                  4.3.0.dfsg.1-14 X Window System miscellaneous util
ii  libxt6                   4.3.0.dfsg.1-14 X Toolkit Intrinsics
ii  mime-support             3.34-1          MIME files 'mime.types' & 'mailcap
ii  perl                     5.8.7-3         Larry Wall's Practical Extraction 
ii  sed                      4.1.4-2         The GNU sed stream editor
ii  tetex-base               2.0.2c-8        Basic library files of teTeX
ii  ucf                      1.18            Update Configuration File: preserv
ii  xlibs                    4.3.0.dfsg.1-14 X Keyboard Extension (XKB) configu
ii  zlib1g                   1:1.2.2-4       compression library - runtime

Versions of packages tetex-bin recommends:
ii  perl-tk                      1:800.025-2 Perl module providing the Tk graph
ii  psutils                      1.17-17     A collection of PostScript documen
pn  texi2html                    <none>      (no description available)
ii  whiptail                     0.51.6-26   Displays user-friendly dialog boxe

-- debconf information:
  tetex-bin/upd_map: true
  tetex-bin/cnf_name:
  tetex-bin/fmtutil: true
  tetex-bin/fmtutil-failed:
  tetex-bin/userperm: false
  tetex-bin/updmap-failed:
  tetex-bin/hyphen: french[=patois], ngerman[=naustrian-neue_Rechtschreibung]
  tetex-bin/oldcfg: true
  tetex-bin/use_debconf: false
  tetex-bin/groupname: users
  tetex-bin/groupperm: true
  tetex-bin/lsr-perms: true

--- End Message ---

--- Begin Message ---

To: Joachim Breitner <nomeata@debian.org>, 316154-done@bugs.debian.org
Subject: Re: texmf.cfg: Close possible security problem
From: Hilmar Preusse <hille42@web.de>
Date: Mon, 28 Dec 2009 16:29:39 +0100
Message-id: <20091228152939.GA748@PC23>
In-reply-to: <E1DnMKa-0004ch-E0@localhost.localdomain>
References: <E1DnMKa-0004ch-E0@localhost.localdomain>

On 28.06.05 Joachim Breitner (nomeata@debian.org) wrote:

> Package: tetex-bin
> Version: 2.0.2-30
> Severity: normal

Hi,

> the shipped /etc/texmf/texmf.cfg has the following lines:
> 
> openout_any = p
> openin_any = a
> 
> While the first line is so far ok, the second line means, that any LaTeX
> code run on this machine has read-access like the user it runs as, that
> includes /etc/passwd, ~/.ssh/id_rsa, ~/other_sensitive_file.
> 
> This by itself is no problem, but it is actually quite easy to make a
> user compile mal LaTeX code and make him send you the file before he has
> a look at it or, using some TeX-magick, make the read text not visible
> (white on white, or very small...).
> 
> This is also a problem for i.e. webservices, that include LaTeX
> capabilities.
> 
> Changeing the line to
> openin_any = p
> solves this problem.
> 
As discussed in the bug it should be the duty of the maintainer
running such a web service to harden the system himself. In
tex-common of Debian stable the followinf comment is in
/etc/texmf/texmf.d/95NonPath.cnf

% Allow TeX \openin, \openout, or \input on filenames starting with
% `.'
% (e.g., .rhosts) or outside the current tree (e.g., /etc/passwd)?
% a (any)        : any file can be opened.
% r (restricted) : disallow opening "dotfiles".
% p (paranoid)   : as 'r' and disallow going to parent directories,
% and
%                  restrict absolute paths to be under $TEXMFOUTPUT.
openout_any = p
openin_any = a

Hope this is sufficient to assume the bug to be solved. ->  Closing.

H.
-- 
sigmentation fault

--- End Message ---

Reply to:

Prev by Date: Re: Statically linked ptex also crashes
Next by Date: Bug#562832: /usr/bin/info: crashes when invoked with -k (apropos mode)
Previous by thread: Bug#562849: texlive-luatex: luainputenc incompatible with LuaTeX in debian
Next by thread: Bug#479070: closed by Hilmar Preusse <hille42@web.de> (Re: Bug#479070: texinfo: Fix for ginstall-info(1))
Index(es):
- Date
- Thread