[tex-live] epstopdf.sty 2008 vs 2009

Heiko Oberdiek oberdiek at uni-freiburg.de
Fri Aug 14 07:58:02 CEST 2009

On Thu, Aug 13, 2009 at 07:45:42PM -0500, Karl Berry wrote:

>     recent versions of (pdf)latex do not allow calling remote programs. 
> This year will be the first time that we have enabled external
> execution, now in the new "restricted" mode.

That is in fact quite unrestricted with the current list of
allowed programs. The list has improved, but there are still
too many security holes:

% running through etex, latex, pdflatex, ...
\immediate\write18{ls -l}% disallowed
  etex -shell-escape \immediate\write18{ls -l}\end
}}% but this is allowed
\csname @@end\endcsname\end

Problematic entries in the list:
* etex
* pdfluatex
and perhaps others.

If theses programs should be part of the list, then
the code that checks the program call could add a check
for (Perl pattern):
* Options can start with one or two hyphens.
* Options can be abbreviated. Because of "-shell-restricted"
  the shortest variant is "-shell-e".
* -no-shell-escape is ok.

> Needs to be emblazoned in
> many announcements, since it'll require changes by the admins who need
> maximum paranoia, and there are some who have good reason for it.

I don't think, it needs "maximum" paranoia for the wish that
restricted mode does not allow the execution of arbitrary programs.
Some of the security problems that should be addressed:
a) The executed programs must be known. It should be impossible
   for an attacker to write a program/script/batch file with
   a allowed name and call it afterwards. Main problem is
   the current directory in PATH (not recommended anyway, but who
   knows). The position doesn't matter. If the current directory
   is the last one, then the attacker can still use names of
   programs that aren't installed.
b) Arbitrary command calls must not be allowed. That requires
   that each program that wants to be added to the allowed list
   must be checked/audited/discussed, whether this is possible.
c) Writing files: Except for TeX programs external programs
   don't know about `openout_any' or `openin_any'. Thus they
   are able to write their results in any place that the
   operating system permits. This is the price of restricted
   mode. At least it should be impossible to write arbitrary
   files. Settings of openout_any or openout_in aren't
   necessarily inherited. Care is necessary, e.g.
   texmf.cnf allows "openout_any=a", but `etex' is called
   with environment variable "openout_any.etex=p", but the
   called program is `pdfluatex' ...

Yours sincerely
  Heiko <oberdiek at uni-freiburg.de>

More information about the tex-live mailing list