lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 11 Feb 2022 11:12:54 +0900
From:   Akira Yokosawa <akiyks@...il.com>
To:     Jonathan Corbet <corbet@....net>
Cc:     linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        Akira Yokosawa <akiyks@...il.com>
Subject: Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

On Thu, 10 Feb 2022 10:51:17 -0700,
Jonathan Corbet wrote:
> Akira Yokosawa <akiyks@...il.com> writes:
[...]
>>
>> diff --git a/Documentation/Makefile b/Documentation/Makefile
>> index 9f4bd42cef18..64d44c1ecad3 100644
>> --- a/Documentation/Makefile
>> +++ b/Documentation/Makefile
>> @@ -26,7 +26,7 @@ SPHINX_CONF   = conf.py
>>  PAPER         =
>>  BUILDDIR      = $(obj)/output
>>  PDFLATEX      = xelatex
>> -LATEXOPTS     = -interaction=batchmode
>> +LATEXOPTS     = -interaction=batchmode -no-shell-escape
> 
> Interesting.  In my digging now and back in 2016 [1] everything I found
> said that \write18 had to be explicitly enabled - and for good reason.
> And I could never figure out *how* we were enabling it...  It turns out
> that the net misinformed me; how come nobody ever told me that could
> happen? :)
> 
> Anyway, I've applied this, but I'm going to tweak the changelog a bit.
> My reason for wanting this isn't to make the warning go away - it's a
> *tiny* piece of the noise of a pdfdocs build.  That warning is there for
> a reason; \write18 is dangerous.  We really don't want any way for
> arbitrary shell commands to be executed via the docs build.  So the new
> text is:
> 
>   It turns out that LaTeX enables \write18, which allows arbitrary shell
>   commands to be executed from the document source, by default.  This the
>   often-seen warning during a pdfdocs build:
> 
>     restricted \write18 enabled
> 
>   That is a potential security problem and is entirely unnecessary; nothing
>   in the kernel PDF docs build needs that capability.  So disable \write18
>   explicitly.

I don't think the "restricted \write18 enabled" mode permits *arbitrary*
shell commands.  This is different from adding -shell-escape, rather the
default option is -shell-restricted.  In this mode, only those commands
listed by "kpsewhich -var-value=shell_escape_commands" are allowed.

In my setting, it lists:
bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,repstopdf,r-mpost,texosquery-jre8,

As you can see, the format of the list indicates that the restriction
concerns only the name of the command, which might be circumvented in
a clever way :-/

-no-shell-escape is expected to plug the hole, but LaTeX/TeX
implementation might have an unknown security issue.  Who knows!

> 
> I think I'll add a Cc: stable while I'm at it.  I know of no actual
> threat, but this is best closed.
> 
> Thanks for fixing this,
> 
> jon
> 
> [1] https://lore.kernel.org/lkml/20161113125250.779df4dd@lwn.net/

Thanks for the link.
This is useful in understanding the early days of Sphinx adoption.

I'm kind of worried that Linus might get another flashback seeing
my updates in LaTeX preamble.  ;-)

        Thanks, Akira

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ