[tex-k] [rhn-admin@rhn.redhat.com: RHN Errata Alert: Command execution vulnerability in dvips]

Tomas G. Rokicki rokicki@CS.Stanford.EDU
Fri, 01 Nov 2002 11:35:28 -0800

Okay, here's the scoop.

The dvips distributed with RedHat 8.0 (which is the ancient and venerable
5.86, no suffix) has been patched for security, by setting the boolean
secure variable to true.

Unfortunately in 5.86 there is no way to turn the secure variable back off
again (like -R0 on the command line or z0 in the config file for more
recent dvips).

So *right now* anyone who needs dvips to execute a shell command in some
contexts, under RedHat 8.0, is lost.

(Apparently secure mode does not affect everything, like font generation,
even though it should, unless the font generation is significantly
tightened up.  And, of course, that 5.86 has numerous bugs which have
since been fixed).

I'm probably going to send redhat a trivial patch which will allow -R0
to work under the version of dvips they are using, and then we can
attempt to get the word out.  Meanwhile, I will also do a security audit
of dvips (probably take me a while) and clean up the obvious defects.

If I can get a patch to RedHat's patch, that fixes dvips, we'll be in
better shape, because right now there is nothing I can say to users of
RedHat 8.0 that will get them a working system.

And I need to write up a little blurb on how to use the security
features.  Like, in a print spooler or browser plugin, there should be
*no way* to turn off secure mode, and secure mode should be *secure*,
even if that means the output is subpar.  Does this mean I disable
font generation if you use dvips as a print spooler?  I haven't figured
it all out yet.

Any thoughts or comments are appreciated.