Bug#51586: Please Reopen 51586 ("secure" mode in dvips should be the default)
From: eichin@thok.org
Subject: Re:
Date: 20
> I hope you don't mind my bringing this to the attention of a wider
> audience (security@debian.org in particular), I think they might have
> more clear arguments as to why dvips -R should be the default (or not,
> and if not, they're probably more likely to convince me to drop the
> issue :-)
No, I do not mind at all, I wish to clarify the problem.
> > By the way it is described in dvips info like follows; ...
> > or whatever is appropriate. This feature can be disabled with the `-R'
> > command-line option or `R' configuration option.
>
> When I submitted the report, I think the configuration option was new,
> and the place I'd heard about the issue had actually changed the
> code. Changing the debian version of the config file is probably
> a reasonable approach. I don't recall if I'd checked the redhat
> installation at the time for comparison.
Well I doubt that `R' configuration option disables the feature
because `R' is used to set Resolution of PK fonts as far as I know.
It seems the statement of info is wrong, does anyone know about
this? (another bug?)
> It means that if I send someone a DVI file, and they view it with xdvi
> it looks ok (because xdvi ignores most \specials) but if I have a
> \special that says "rm -rf $HOME", and they go to print it, kaboom.
Thanks for your explanation. I understand that this is really
problem.
Regards, 2000.5.21
--
Debian JP Developer - much more I18N of Debian
Atsuhito Kohda <kohda@pm.tokushima-u.ac.jp>
Department of Math., Tokushima Univ.
Reply to: