Re: pkgsrc and security: xpdf example

[tlaronde%polynum.com@localhost]

On Tue, Jul 30, 2019 at 04:13:10PM +0200, Hauke Fath wrote:
> On 2019-07-29 09:37, tlaronde%polynum.com@localhost wrote:
>[...] 
> ... what xpdf does (print with a pre-set command via system()) is exactly
> what I would (have to) do from the commandline. Same credentials. So how
> does forcing me to send a document to a printer from the shell prompt, as
> opposed to out of xpdf, make anything/anybody safer?
> 

There is no problem for a "normal" user session with access to a shell,
so one could make directly what one makes indirectly via the print
command.

The only "problem" is that if using xpdf to render on screen a PDF
document, xpdf being called from inside a GUI for example, user having
not access to a shell, the "printing command" is in fact just a whatever
command sent to system(3).

And I repeat once more: it's not critics about xpdf (I use it and I'm
happy to have it) it is just a remainder that there are "escaping
routes" where one would not think of them at first simply because of the
assumption that xpdf "prints" and that's all. No: it is also an access
to the shell in some way.

When I made kerTeX (a distribution of TeX and al.), I discoverd that in
dvips(1) there was the possibility to embed in a dvi files commands that
will just be executed by system(3). I simply removed all this because it
was a too big security problem if someone would open a dvi file coming
from who knows where.

Here, the problem is far less important because the xpdf user has to do
something nasty (or can do a mistake; it would be a very bad idea to
name the print program: 'prm' and to forget to type the leading 'p'...)
and it is not something present in the pdf that executes without knowing
it. But nonetheless, it is better if it's documented.
-- 
        Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
                     http://www.kergis.com/
                       http://www.sbfa.fr/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C