[tex-live] README with executable bit on

Robin Fairbairns Robin.Fairbairns at cl.cam.ac.uk
Sat Apr 6 01:02:21 CEST 2013


jfbu <jfbu at free.fr> wrote:

> I just updated TL 2012 on a Mac OS, using TeX Live Utility
> I see a small package passing by,  "roundbox" and I want to
> read its documentation. Double-Clicking the README icon
> pops up a Terminal window and it appears as is some script
> was trying to run. 
> 
> So I go
> to see the actual file:
>  /usr/local/texlive/2012/texmf-dist/doc/latex/roundbox/README
> and it has the executable bit on, although it is a perfectly
> innocent text file
> 
>   -rwxr-xr-x        945 Apr  4 00:39 README

interestingly, the copy at my ctan has no "x" bits, but the other one
does.  the latest install of roundbox was by me, for my ctan.

> retrospectively isn't this a potential security problem?

everything that people think they can "click on" is a potential security
hole.  i'm not convinced that clicking on ctan files (that aren't
explicitly scripts, but have the wrong protection) is likely to be
problematic.

> I could have triggered any kind of malicious shell script this way.

but probably not on something that's come from ctan.

i've been running a ctan host since some time in the 90s, and i've only
once had a virus alert ... and that was a false alarm.

we get lots of viruses/assorted other malware uploaded (one today was
helpfully called something like "install apps"), but we hardly ever get
even as far as unpacking them...

none of which is to say that we will always be this lucky, but while the
mechanism stays the way it is...

Robin Fairbairns

For the CTAN team


More information about the tex-live mailing list