Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
comp.text.tex
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion Who is this guy...?
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
JohnF  
View profile  
 More options May 26 2009, 9:29 am
Newsgroups: comp.text.tex
From: JohnF <j...@please.see.sig.for.email.com>
Date: Tue, 26 May 2009 13:29:24 +0000 (UTC)
Local: Tues, May 26 2009 9:29 am
Subject: Re: Who is this guy...?
Print | View thread | Show original | Report this message | Find messages by this author

Robin Fairbairns <r...@cl.cam.ac.uk> wrote:
> JohnF <j...@please.see.sig.for.email.com> writes:
>>I'm asking about the author of the email reproduced (without
>>permission) below.  The simple errors described there have been
>>fixed, with corrected code for the two ctan programs available at
>>     http://www.forkosh.com/mimetex.zip
>>     http://www.forkosh.com/mathtex.zip
>>But it's not yet submitted to ctan as they're trivial errors very
>>hard to trip over and hardly worth the administrative overhead (for
>>me or for ctan).  However, they are errors worth my time to fix,
>>and somebody (see cc's on email) must have taken a hard look
>>at the programs to find them.  For that I'm grateful.

>>What does bother me, however, is what seems to me like the
>>pompous, supercilious attitude of self-proclaimed net police
>>who write email to total strangers containing stuff like
>>   IMPORTANT: Please let us know if you have any questions/concerns,
>>   we would ask you not to disclose any of this information publicly
>>   until we have confirmed an embargo date for these issues. (please
>>   let me know if you are not familiar with this practice).
>>Well, I'm not familiar with this practice!
>>Embargo date?  Who does this guy think he is???

> someone in a cert team somewhere, presumably.

> their business is finding vulnerabilities in software, that could
> cause vulnerabilities if installed on a web server.  unchecked
> strcpy, iirc, was the ultimate source of the morris worm so it's the
> sort of thing these people look for.

> it's irrelevant whether it's difficult to "trip over the problem";
> what's relevant is whether it's possible to use the problem to
> construct an attack on the server that offers the program.

> (we get personal service from our local cert team, because we know all
> of the members well; if we get messages from any other -- even if it's
> from the isp's team -- they tend to be pretty impersonal.  if you run
> a service of any sort, you're likely to attract messages from cert
> teams all over the place.  we do.)

Thanks, Robin.  I agree that can be a useful community service,
and maybe I overreacted a little.  But I get emails from people
with requests or pointing out errors all the time, none of whom
have felt the need to use words like "embargo" until now.

Anyway, I've looked over the remaining 91 occurrences of strcpy
in mimetex.c, which are all pretty benign, comprising statements
like
    strcpy(subexpr,"{");           /* start off with opening { */
or like
    strcpy(expression,delim+1);    /* shift name= out of expression */
where delim is already a pointer into expression.  Nevertheless,
although mimetex.c isn't large, with 15K lines of code you're almost
guaranteed that some errors remain somewheres.

As for mathtex.c, I've fixed the explicit vulnerability that was
pointed out.  But anyone using it should realize it's essentially
a script written in C that just runs latex and friends.  So it's
going to remain as exploitable as all the similar script cgi's
that are out there.  I'm not sure there's much I can do about that.

So far (knock on wood), however, I haven't received any emails
from people who think their systems have been hacked into
through either mimetex or mathtex.  Though more people use these
programs than I'd have originally guessed, it's still a vanishingly
small user base in web terms.  And I'd guess that seriously
dangerous hackers/crackers might focus their efforts on jucier
targets.
--
John Forkosh  ( mailto:  j...@f.com  where j=john and f=forkosh )


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google