On Fri, Aug 20, 2010 at 03:50:20PM +0100, Richard Miller wrote:
> > - There was support for embedded commands calling system(3).
>
> [...]
> The article also mentions some attacks on previewers, but the authors
> seem to have missed the potential exploits enabled by this "feature"
> of dvips.[...]
Proprietary (_bad!_) software hides the source. While some
"open" (_good!_) software shows you the hay stack... and invites you
to find the needle.
The current distributions of TeX and al. are so frightening, that it is
not surprising that the authors of the article have focused on
"features" documented and not tried to visit the Augean Stables.
And the fault is not on the original authors of the program, since the
state is unchanged in 15 or even 20 years! Only the amount of "goodies"
has increased.
In the same security audit for dvips(1), I will keep the automatic
generation of missing fonts, but the program/script called will be a
fully qualified name in the kerTeX hierarchy (supposed to be correctly
administrated), and not just a filename (last component)
called wherever such an executable with this name happen to exist in
the PATH.
The purpose of a---my claim---Unix purity that is Plan9 spirit TeX
distribution is that there is only a well identified, small amount
of added code to TeX and al. so that it can be audited, maintained
and used: no transfinite amount of hidden options.
Security will be the side-effect of maintenance and usability.
But I have been qualified by a former employer as a "psychorigid"
since I say (harshly) far more often: no! than yes, and remove more
easily than I add... (starting by removing "great ideas" even
before starting to implement them...). So kerTeX will probably never be
very popular.
--
Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
http://www.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C
