[tex-live] Security issues for restricted shell escape
Heiko Oberdiek
oberdiek at uni-freiburg.de
Sat Jul 18 08:07:34 CEST 2009
On Sat, Jul 18, 2009 at 01:25:54AM +0200, Heiko Oberdiek wrote:
> On Fri, Jul 17, 2009 at 04:40:25PM -0500, Karl Berry wrote:
>
> > Setting "p" isn't much better than "1".
> >
> > It at least eliminates the most obvious issues, ie,
> > \write18{rm -rf /}
>
> No, I must say. It's trivial to do this. Many programs
> of the list allow this, e.g.:
> * epstopdf (via pipe feature, a language extension of ghostscript)
> fixable by -dSAFER and further option validation.
> * etex, latex, luatex, lualatex, pdflatex, pdfluatex, tex
> * texexec (at least option `--paranoid' should be mandatory)
> * texmfstart
* gnuplot
Yours sincerely
Heiko <oberdiek at uni-freiburg.de>
More information about the tex-live
mailing list