tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc and security: xpdf example

On Tue, Jul 30, 2019 at 04:13:10PM +0200, Hauke Fath wrote:
> On 2019-07-29 09:37, wrote:
> ... what xpdf does (print with a pre-set command via system()) is exactly
> what I would (have to) do from the commandline. Same credentials. So how
> does forcing me to send a document to a printer from the shell prompt, as
> opposed to out of xpdf, make anything/anybody safer?

There is no problem for a "normal" user session with access to a shell,
so one could make directly what one makes indirectly via the print

The only "problem" is that if using xpdf to render on screen a PDF
document, xpdf being called from inside a GUI for example, user having
not access to a shell, the "printing command" is in fact just a whatever
command sent to system(3).

And I repeat once more: it's not critics about xpdf (I use it and I'm
happy to have it) it is just a remainder that there are "escaping
routes" where one would not think of them at first simply because of the
assumption that xpdf "prints" and that's all. No: it is also an access
to the shell in some way.

When I made kerTeX (a distribution of TeX and al.), I discoverd that in
dvips(1) there was the possibility to embed in a dvi files commands that
will just be executed by system(3). I simply removed all this because it
was a too big security problem if someone would open a dvi file coming
from who knows where.

Here, the problem is far less important because the xpdf user has to do
something nasty (or can do a mistake; it would be a very bad idea to
name the print program: 'prm' and to forget to type the leading 'p'...)
and it is not something present in the pdf that executes without knowing
it. But nonetheless, it is better if it's documented.
        Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

Home | Main Index | Thread Index | Old Index