[tex-k] [rhn-admin@rhn.redhat.com: RHN Errata Alert: Command execution vulnerability in dvips]

Tomas G. Rokicki rokicki@CS.Stanford.EDU
Fri, 01 Nov 2002 11:41:51 -0800


Having problems with our local mailer so I'm gonna try again.

Okay, here's the scoop.

The dvips distributed with RedHat 8.0 (which is the ancient and venerable
5.86, no suffix) has been patched for security, by setting the boolean
secure variable to true.

Unfortunately in 5.86 there is no way to turn the secure variable back off
again (like -R0 on the command line or z0 in the config file for more
recent dvips).

So *right now* anyone who needs dvips to execute a shell command in some
contexts, under RedHat 8.0, is lost.

(Apparently secure mode does not affect everything, like font generation,
even though it should, unless the font generation is significantly
tightened up.  And, of course, that 5.86 has numerous bugs which have
since been fixed).

I'm probably going to send redhat a trivial patch which will allow -R0
to work, so people can at least get their documents to print.  And
I'll do a security audit of dvips and fix this and other security
problems, correctly.  And try to get the word out that, at least for
RedHat 8.0, -R0 is needed to print some documents correctly.

Thoughts or comments?

-tom