Re: SVN tex-common commit: r4812 - in tex-common/trunk: conf/texmf.d debian debian/po
- To: Norbert Preining <preining@logic.at>
- Cc: debian-tex-maint@lists.debian.org
- Subject: Re: SVN tex-common commit: r4812 - in tex-common/trunk: conf/texmf.d debian debian/po
- From: Frank Küster <frank@debian.org>
- Date: Fri, 01 Apr 2011 21:00:24 +0200
- Message-id: <[🔎] 87aag9ztiv.fsf@alhambra.kuesterei.ch>
- In-reply-to: <20110330044932.GC29178@gamma.logic.tuwien.ac.at> (Norbert Preining's message of "Wed, 30 Mar 2011 13:49:32 +0900")
- References: <E1Q2CAp-0002So-2L@alioth.debian.org> <87vcz1zode.fsf@alhambra.kuesterei.ch> <20110330044932.GC29178@gamma.logic.tuwien.ac.at>
Norbert Preining <preining@logic.at> wrote:
> On Di, 29 Mär 2011, Frank Küster wrote:
>> > - disable shell_escape completely, fix for DSA-2198-1, CVE-2011-1400
>>
>> Is the rationale for this change somewhere documented? Will upstream
>> follow the same reasoning?
>
> Reason: arbitrary code execution
> upstream ha retracted before the releae of TL2009, but we forgot
> to follow that in our texmf.cnf in tex-common. It was some time
> in TL2009 dev cycle.
>
> For TL2010 this was activated again for a very limited amount
> of programs where we verfied that no arbitrary writing outside
> the local dir etc can be done.
Ah, thanks. We, and I, indeed bluntly forgot that: When the activation
of a limited number of programs was discussed in TL 2010, I followed the
discussion and was sure that we had it deactivated...
Regards, Frank
--
Dr. Frank Küster
VCD Miltenberg, ADFC Aschaffenburg-Miltenberg
B90/Grüne KV Miltenberg
Debian Developer (TeXLive)
Reply to: