[tex-k] [rhn-admin@rhn.redhat.com: RHN Errata Alert: Command execution vulnerability in dvips]

Akira Kakuto kakuto@fsci.fuk.kindai.ac.jp
Wed, 16 Oct 2002 01:03:41 +0900

> I am not sure whether this has been fixed or not.
> Further, I suspect it hasn't been.

system() is disabled by default in config.ps:
* Run securely (z: disable system call, z0: enable system call)
* overriden by -R0 and -R options, respectively.

Boolean secure = 1 ;          /* make safe for suid */
in dvips.c will be better.
(Currently Boolean secure = 0 ;          /* make safe for suid */)

If one invokes by -R0 option, system() is enabled.
Akira Kakuto