rpms/ikiwiki/F-10 ikiwiki-2.72-teximg.patch, NONE, 1.1 ikiwiki.spec, 1.12, 1.13

Thomas Moschny thm at fedoraproject.org
Tue Sep 1 22:55:18 UTC 2009 

Author: thm

Update of /cvs/pkgs/rpms/ikiwiki/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21192

Modified Files:
	ikiwiki.spec 
Added Files:
	ikiwiki-2.72-teximg.patch 
Log Message:
* Wed Sep  2 2009 Thomas Moschny <thomas.moschny at gmx.de> - 2.72-2
- Add patch for teximg plugin: Make TeX handle preventing unsafe
  things; remove insufficient blacklist (fixes CVE-2009-2944, see
  bz 520543).


ikiwiki-2.72-teximg.patch:
 teximg.pm |   41 ++---------------------------------------
 1 file changed, 2 insertions(+), 39 deletions(-)

--- NEW FILE ikiwiki-2.72-teximg.patch ---
>From f41d51c825450c5f423b35d887e99820369402f9 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey at gnu.kitenet.net>
Date: Tue, 1 Sep 2009 15:31:21 -0400
Subject: [PATCH] teximg: Make TeX handle preventing unsafe things; remove insufficient blacklist

TeX has configuration options that prevent unsafe things like shell
escapes and insecure file reads/writes.  Turn all of them on.

teximg's regex-based blacklist does not suffice.  For instance:

[[!teximg code="""
\catcode`\%=0
%input{/etc/passwd}
"""]]

Remove the blacklist, since the TeX configuration options seal off the
underlying mechanisms more safely, and the blacklist blocks other TeX
commands that can prove useful.

Conflicts:

	debian/changelog
---
 IkiWiki/Plugin/teximg.pm |   40 ++--------------------------------------
 1 files changed, 2 insertions(+), 38 deletions(-)

diff --git a/IkiWiki/Plugin/teximg.pm b/IkiWiki/Plugin/teximg.pm
index 57b2314..099ec63 100644
--- a/IkiWiki/Plugin/teximg.pm
+++ b/IkiWiki/Plugin/teximg.pm
@@ -69,13 +69,7 @@ sub preprocess (@) {
 	if (! defined $code && ! length $code) {
 		error gettext("missing tex code");
 	}
-
-	if (check($code)) {
-		return create($code, check_height($height), \%params);
-	}
-	else {
-		error gettext("code includes disallowed latex commands")
-	}
+	return create($code, check_height($height), \%params);
 }
 
 sub check_height ($) {
@@ -155,7 +149,7 @@ sub gen_image ($$$$) {
 	my $tmp = eval { create_tmp_dir($digest) };
 	if (! $@ &&
 	    writefile("$digest.tex", $tmp, $tex) &&
-	    system("cd $tmp; latex --interaction=nonstopmode $tmp/$digest.tex > /dev/null") == 0 &&
+	    system("cd $tmp; shell_escape=f openout_any=p openin_any=p latex --interaction=nonstopmode $digest.tex < /dev/null > /dev/null") == 0 &&
 	    # ensure destination directory exists
 	    writefile("$imagedir/$digest.png", $config{destdir}, "") &&
 	    (($config{teximg_dvipng} &&
@@ -191,34 +185,4 @@ sub create_tmp_dir ($) {
 	return $tmpdir;
 }
 
-sub check ($) {
-	# Check if the code is ok
-	my $code = shift;
-
-	my @badthings = (
-		qr/\$\$/,
-		qr/\\include/,
-		qr/\\includegraphic/,
-		qr/\\usepackage/,
-		qr/\\newcommand/, 
-		qr/\\renewcommand/,
-		qr/\\def/,
-		qr/\\input/,
-		qr/\\open/,
-		qr/\\loop/,
-		qr/\\errorstopmode/,
-		qr/\\scrollmode/,
-		qr/\\batchmode/,
-		qr/\\read/,
-		qr/\\write/,
-	);
-	
-	foreach my $thing (@badthings) {
-		if ($code =~ m/$thing/ ) {
-			return 0;
-		}
-	}
-	return 1;
-}
-
 1
-- 
1.6.3.3



Index: ikiwiki.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ikiwiki/F-10/ikiwiki.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -p -r1.12 -r1.13
--- ikiwiki.spec	2 Jan 2009 11:32:27 -0000	1.12
+++ ikiwiki.spec	1 Sep 2009 22:55:17 -0000	1.13
@@ -1,6 +1,6 @@
 Name:           ikiwiki
 Version:        2.72
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A wiki compiler
 
 Group:          Applications/Internet
@@ -8,6 +8,7 @@ License:        GPLv2+
 URL:            http://ikiwiki.info/
 Source0:        http://ftp.debian.org/debian/pool/main/i/%{name}/%{name}_%{version}.tar.gz
 Patch0:         ikiwiki-2.72-libexecdir.patch
+Patch1:         ikiwiki-2.72-teximg.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 
@@ -49,6 +50,7 @@ array of plugins.
 %prep
 %setup0 -q -n %{name}
 %patch0 -p1 -b .libexecdir
+%patch1 -p1
 
 # Filter unwanted Provides:
 %{__cat} << \EOF > %{name}-prov
@@ -143,6 +145,11 @@ meta-wrapper in this package.
 
 
 %changelog
+* Wed Sep  2 2009 Thomas Moschny <thomas.moschny at gmx.de> - 2.72-2
+- Add patch for teximg plugin: Make TeX handle preventing unsafe
+  things; remove insufficient blacklist (fixes CVE-2009-2944, see
+  bz 520543).
+
 * Fri Jan  2 2009 Thomas Moschny <thomas.moschny at gmx.de> - 2.72-1
 - Update to 2.72.
 - Patch for mtn plugin has been applied upstream.

More information about the scm-commits mailing list