[tex-k] secure mode of dvips should be default
Julian Gilbey
J.D.Gilbey@qmw.ac.uk
Fri, 1 Jun 2001 19:10:18 +0100
On Fri, Jun 01, 2001 at 10:41:58AM -0700, Tomas G. Rokicki wrote:
> Thanks for the email on dvips security!
>
> Can you explain why secure mode should be on by default?
> In other words, how might I run TeX and/or dvips over
> untrusted code? Provide me with a convincing attack
> scenario. A time bomb in some macro source somewhere that
> gets included into a distribution?
>
> Certainly if someone embeds dvips into some sort of automatic,
> MIME-driven viewer, yes, secure mode should be set on, but
> for command-line use?
Download and attempt to print a .dvi file from the web which contains
a malicious \special, perhaps?
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London
Debian GNU/Linux Developer, see http://people.debian.org/~jdg
Donate free food to the world's hungry: see http://www.thehungersite.com/