Source: latex2html Version: 2015-debian1-1 Severity: important User: debian-p...@lists.debian.org Usertags: perl-cwd-inc-removal Tags: security
This script relies on '.' being in @INC, which is a problem because we are planning to remove it. One example of the problem this can cause is at[1] but I think there is a wider range of issues than that; searching the script for require shows several other places. Here is an extract from the log file in question: latex2html -split 4 -link 2 -show_section_numbers -antialias -tmp /tmp -long_titles 3 -toc_depth 2 -local_icons ref.tex Note: Loading ./.latex2html-init Note: Initialising with file: .latex2html-init Can't locate .latex2html-init: /root/.latex2html-init: Permission denied at /usr/bin/latex2html line 421. This change is being made for security reasons, and matches the long-term upstream plan to remove '.' from @INC; for more background, see #588017 and [2]. Probably the immediate fix for latex2html is to add use lib '.'; to the top, but in that case the script should be carefully audited for file inclusion vulnerabilities, through optional module loading and assumptions about working directories. I doubt it can be made properly safe this way but it is no worse than the current situation. Since the script relies on requiring perl scripts as data input (ingesting its own output) it would appear that it cannot ever be run on untrusted data. Perhaps that should be made explicit. (As a user, I would not expect latex2html to run perl code from the current working directory). This bug will become RC when the perl package change removing '.' from @INC by default is uploaded to unstable, expected in a week or two. This behaviour can be tested prior to the upload by uncommenting the line in /etc/perl/sitecustomize.pl (on any up-to-date wheezy, jessie or sid system). Thanks, Dominic. [1] <http://perl.debian.net/rebuild-logs/experimental/condor_8.4.2~dfsg.1-1/condor_8.4.2~dfsg.1-1_amd64-20160727-2333.build> [2] <https://lists.debian.org/debian-release/2016/07/msg00456.html>
