[tex-k] [rhn-admin@rhn.redhat.com: RHN Errata Alert: Command execution vulnerability in dvips]

Reinhard Kotucha reinhard@kammer.uni-hannover.de
Sat, 2 Nov 2002 03:43:45 +0100

>>>>> "Tomas" == Tomas G Rokicki <rokicki@cs.stanford.edu> writes:

    > Any thoughts or comments are appreciated.

Isn't it sufficient to have an environment variable so that the print
spooler can say:

disable_some_options=true  dvips "$@"

or something like that?

But what I'm more concerned about is that RedHat distributes a dvips
that behaves different than that on other systems.

There is absolutely no reason to make any changes to dvips, it is
absolutely sufficient to send a bug report.

In my opinion, the best way to go is to put dvips under the LPPL.
Then dvips would be dvips and RedHat has to distribute it under
another name, i.e. "dvips_broken_by_RedHat".


Reinhard Kotucha			             Phone: +49-511-27060390
Marschnerstr. 25
D-30167 Hannover	              mailto:reinhard@kammer.uni-hannover.de
Microsoft isn't the answer. Microsoft is the question, and the answer is NO.