[tex-live] Status of restricted \write18 and epstopdf conversion

Manuel Pégourié-Gonnard mpg at elzevir.fr
Tue Oct 27 12:21:13 CET 2009


Philip TAYLOR a écrit :
> OK, I don't want to pursue this one excessively (mainly because,
> it being a glorious autumn day, I am keen to get out cycling),

I don't want to discuss this in details right now either, because this
feature has been temporarily withdrawn, and until TL09 is released, I
prefer concentrating on problems with TL09. We can discuss it later, of
course.

> but isn't it /possible/ that through a clever combination of
> dirty tricks, a Trojan could fake one of the very commands
> that the restricted version of shell-escape is willing
> to execute, thereby once again compromising the whole system ?
> 
One of the reasons that made us withdraw the feature for now is
precisely that this is not impossible now. When we re-introduce the
feature, we will try hard to make sure this (and other kinds of attacks)
is not possible. (Of course one can never be 100% sure, but the same is
true for many other features of *TeX and other software.)


Manuel.


More information about the tex-live mailing list