Re: SVN tex-common commit: r4812 - in tex-common/trunk: conf/texmf.d debian debian/po

To: Norbert Preining <preining@logic.at>
Cc: debian-tex-maint@lists.debian.org
Subject: Re: SVN tex-common commit: r4812 - in tex-common/trunk: conf/texmf.d debian debian/po
From: Frank Küster <frank@debian.org>
Date: Fri, 01 Apr 2011 21:00:24 +0200
Message-id: <[🔎] 87aag9ztiv.fsf@alhambra.kuesterei.ch>
In-reply-to: <20110330044932.GC29178@gamma.logic.tuwien.ac.at> (Norbert Preining's message of "Wed, 30 Mar 2011 13:49:32 +0900")
References: <E1Q2CAp-0002So-2L@alioth.debian.org> <87vcz1zode.fsf@alhambra.kuesterei.ch> <20110330044932.GC29178@gamma.logic.tuwien.ac.at>

Norbert Preining <preining@logic.at> wrote:

> On Di, 29 Mär 2011, Frank Küster wrote:
>> > - disable shell_escape completely, fix for DSA-2198-1, CVE-2011-1400
>> 
>> Is the rationale for this change somewhere documented?  Will upstream
>> follow the same reasoning?
>
> Reason: arbitrary code execution
> upstream ha retracted before the releae of TL2009, but we forgot
> to follow that in our texmf.cnf in tex-common. It was some time
> in TL2009 dev cycle.
>
> For TL2010 this was activated again for a very limited amount
> of programs where we verfied that no arbitrary writing outside
> the local dir etc can be done.

Ah, thanks.  We, and I, indeed bluntly forgot that:  When the activation
of a limited number of programs was discussed in TL 2010, I followed the
discussion and was sure that we had it deactivated...

Regards, Frank
-- 
Dr. Frank Küster
VCD Miltenberg, ADFC Aschaffenburg-Miltenberg
B90/Grüne KV Miltenberg
Debian Developer (TeXLive)

Reply to:

Next by Date: Bug#569576: Any progress on this?
Next by thread: Bug#569576: Any progress on this?
Index(es):
- Date
- Thread