teximg security problem

master
Joey Hess 2009-08-30 15:20:32 -04:00
parent b83cb1d9f5
commit 41122048b9
1 changed files with 10 additions and 0 deletions

View File

@ -417,3 +417,13 @@ attack.
intrigeri discovered this problem on 12 Nov 2008 and a patch put in place intrigeri discovered this problem on 12 Nov 2008 and a patch put in place
later that day, in version 2.70. The fix was backported to testing as version later that day, in version 2.70. The fix was backported to testing as version
2.53.3, and to stable as version 1.33.7. 2.53.3, and to stable as version 1.33.7.
## Insufficient blacklisting in teximg plugin
Josh Tripplet discovered on 28 Aug 2009 that the teximg plugin's
blacklisting of insecure TeX commands was insufficient; it could be
bypassed and used to read arbitrary files. This was fixed by
enabling TeX configuration options that disallow unsafe TeX commands.
The fix was released on 30 Aug 2009 in version 3.1415926, and was
backported to stable in version 2.53.4. If you use the teximg plugin,
I recommend upgrading.