Date: 8 April 90 Message No: 029 To: TeX implementors and distributors From: Barbara Beeton Subject: Additional changes, TeX 3.14, MF 2.7; ERRATA.TeX; security report This message contains only the most urgent changes. I am extremely short on time, and will be out of town from Apr 11-20 at a standards meeting in Kyoto. (I will probably be quite incoherent when I return; 14-hour time shifts and I don't get along too well.) Included here are the following Addenda to TeX82.BUG as of 26 March 91 New errata list (ERRATA.TEX) -- full list Differences between TeX.WEB 3.14 as of 18 March 1991 and as of 26 Mar 1991 Differences between MF.WEB 2.7 as of 13 March 1991 and as of 26 Mar 1991 The differences lists were run under VAX/VMS and hand-edited to provide the starting line number for each code block. This is the closest I can come to the former TOPS-20 differences lists. I was very careful to check the hand work, and didn't catch any errors. However, you should be aware that this was not entirely machine generated. I received on paper today a package of commented bug reports from Knuth. I have added the comments to the original file, and will send that as message #30. I am doing this to save time. Several people will get rewards from their reports; I will be in touch with them indivudually. Although this package arrived only today, I believe that all the bugs that Knuth accepted were fixed in the versions of March 26 referred to below. I have had another report, one that I really don't like to advertise. I have passed it along to Knuth, and also checked it out with another expert. This report dealt with a "security flaw", specifically in Unix implementations, but possibly able to be activated within other operating system environments as well. Here is the introduction to the report: Date: Tue, 26 Mar 91 12:52:33 -0500 From: Zbigniew Fiedorowicz To: tug@math.ams.com Cc: tech-support@math.ams.com Subject: TeX security problem Please pass this on to Prof. Knuth, or whoever maintains the official TeX source code: I am writing to inform you about a security flaw affecting Unix implementations of TeX (perhaps other operating systems as well). The problem is that one can easily imbed TeX commands in ordinary TeX files to write arbitrary text into a user's system files, such as .login, .cshrc, .profile, .logout, etc. When a file with such commands is typeset, they may execute silently without the user being any the wiser. This provides a mechanism for anything from harmless pranks to serious vandalism. To illustrate the problem, I enclose below a "TeX virus". To prevent this sort of thing, TeX should check commands of the form \openoutn=filename is not something like .login, ../.logout, etc. It would seem reasonable to impose the condition that the only filenames acceptable to TeX must end in the form x.xxx...x where x denotes an alphanumeric character. Zbigniew Fiedorowicz The report was accompanied by a "demo virus", both a summary of the strategy and the code. In order to contain this as well as possible, I will not send out the code or strategy without a specific request, and then, only to people whose credentials I am sure of. I asked the moderator of the VIRUS-L discussion list to look at the strategy and determine whether it is plausible. He did so, and here is his analysis. Date: Thu, 28 Mar 91 09:56:48 EST From: Kenneth R. van Wyk Ms. Beeton, Thank you for your letter regarding the use of TeX for propagating viruses. While I am only slightly familiar with TeX, I do fully understand the nature of the problem. Without even looking at the example code (though I would be happy to do so), I can imagine ways in which it could be exploited. I see the problem as being more general in scope than just viruses; indeed, a trojan horse login "program" could easily be implemented which could be used to collect usernames and passwords. This is along the lines of pranks that have been seen in (among other places, no doubt) university computing environments for years. On the other hand, I would imagine that the people who designed and implemented this feature had legitimate reasons for doing so. The report that you sent to me mentioned one alternative, which was to only allow certain classes of filenames. One other alternative which you may wish to consider is to notify the user whenever a file is to be written to in this manner and allow the user to deny access to the file. A message to the extent of "File xxx.tex is attempting to write to file .login. This could have serious security related repurcussions. Do you wish to proceed? " In summary, yes I believe that the threat is real. It could certainly and easily be used to cause damage. The damage could be in the form of a virus, but would not be limited to viruses. It could just as easily be used in an attempt to obtain another user's password or just about anything else. The problem is not insurmountable. The file output facility could be removed (in the extreme case) or an alternative approach could be used. I personally like the idea of informing the user and allowing him/her to deny the access before it happens. The decision is yours to make. Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.SEI.CMU.EDU (work) ken@OLDALE.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) In reply to the copy of the full report that I sent to Knuth, he sent back to me a sheet of Unix diffs to be forwarded to Pierre MacKay (as TUG Unix site coordinator), which I am about to do, along with all the supporting correspondence. I will ask Pierre to notify the list when he has received it, and, if he will, to answer questions on the subject. That will allow me to go away with a clear conscience. ######################################################################## Addenda to TeX82.BUG as of 26 March 91 ------------- Note: When making change 376, I forgot to delete the redundant code in module 883, and I should also have changed the name of that module. These cosmetic changes (and some changes to the comments) were made in version 3.14, in addition to the following two changes. ------------- 393. Show unprintable characters in font id's (Wayne Sullivan, Dec 1990) @x module 63 print(s); @y slow_print(s); @z @x module 262 can now be spruced up else begin print_esc(""); slow_print(text(p)); @y else begin print_esc(text(p)); @z @x and module 263 likewise else begin print_esc(""); slow_print(text(p)); end; @y else print_esc(text(p)); @z 394. Avoid range check if total_pages>65535 (Eberhard Mattes, Dec 1990) @x module 642 dvi_out(total_pages div 256); dvi_out(total_pages mod 256);@/ @y dvi_out((total_pages div 256) mod 256); dvi_out(total_pages mod 256);@/ @z ----------- 395. The absolutely final change (to be made after my death) @x module 2 @d banner=='This is TeX, Version 3.14' {printed when \TeX\ starts} @y @d banner=='This is TeX, Version $\pi$' {printed when \TeX\ starts} @z My last will and testament for TeX is that no further changes be made under any circumstances. Improved systems should not be called simply `TeX'; that name, unqualified, should refer only to the program for which I have taken personal responsibility. -- Don Knuth * Possibly nice ideas that will not be implemented . classes of marks analogous to classes of insertions . \showcontext to show the current location without stopping for error . \show commands to be less like errors . \everyeof to insert tokens before an \input file ends (strange example: \everyeof{\noexpand} will allow things like \xdef\a{\input foo}!) . generalize \leftskip and \rightskip to token lists (problems with displayed math then) . generalize \widowline and \clubline to go further into a paragraph . \lastbox to remove and box a charnode if one is there * Bad ideas that will not be implemented . several people want to be able to remove arbitrary elements of lists, but that must never be done because some of those elements (e.g. kerns for accents) depend on floating point arithmetic . if anybody wants letter spacing desperately they should put it in their own private version (e.g. generalize the hpack routine) and NOT call it TeX. ######################################################################## New errata list (ERRATA.TEX) -- full list % Bugs (sigh) in Computers \& Typesetting --- the most recent errata \input manmac \font\sltt=cmsltt10 \font\niness=cmss9 \font\ninessi=cmssi9 \proofmodefalse \raggedbottom \output{\hsize=29pc \onepageout{\unvbox255\kern-\dimen@ \vfil}} \def\today{\number\day\ \ifcase\month\or Jan\or Feb\or Mar\or Apr\or May\or Jun\or Jul\or Aug\or Sep\or Oct\or Nov\or Dec\fi \ \number\year} \def\cutpar{{\parfillskip=0pt\par}} \def\rhead{Bugs in {\tensl Computers \& Typesetting as of \today}} \def\bugonpage#1(#2) \par{\bigbreak\tenpoint \hrule width\hsize \line{\lower3.5pt\vbox to13pt{}Page #1\hfil(#2)}\hrule width\hsize \nobreak\medskip} \def\buginvol#1(#2) \par{\bigbreak\penalty-1000\tenpoint \hrule width\hsize \line{\lower3.5pt\vbox to13pt{}Volume #1\hfil(#2)}\hrule width\hsize \nobreak\medskip} \def\slMF{{\manual 89:;}\-{\manual <=>:}} % slant the logo \def\0{\raise.7ex\hbox{$\scriptstyle\#$}} \newcount\nn \newdimen\nsize \newdimen\msize \newdimen\ninept \ninept=9pt \newbox\eqbox \setbox\eqbox=\hbox{\kern2pt\eightrm=\kern2pt} \tenpoint \noindent This is a list of all corrections made to {\sl Computers \& Typesetting}, Volumes A,~C, and E\null, since 1 January 1991. Corrections made to the softcover version of {\sl The \TeX book\/} are the same as corrections to Volume~A\null. Corrections to the softcover version of {\sl The \slMF\kern1ptbook\/} are the same as corrections to Volume~C\null. Some of the corrections below have already been made in reprintings of the books. Hundreds of changes, too many to list here, have been made to Volumes B~and~D because of the upgrades to \TeX\ and \MF\null. Readers who need up-to-date information on the \TeX\ and \MF\ programs should refer to the |WEB| source files until new printings of Volumes B~and~D are issued. \looseness=-1 % volume A \bugonpage A377, the bottom 14 lines (3/26/91) \eightpoint\indent ASCII \; the macro also decides whether a space token is explicit or implicit. \begintt \newif\ifspace \newif\iffunny \newif\ifexplicit \def\stest#1{\expandafter\s\the#1! \stest} \def\s{\funnyfalse \global\explicitfalse \futurelet\next\ss} \def\ss{\ifcat\noexpand\next\stoken \spacetrue \ifx\next\stoken \let\next=\sss \else\let\next=\ssss \fi \else \let\next=\sssss \fi \next} \long\def\sss#1 #2\stest{\def\next{#1}% \ifx\next\empty \global\explicittrue \fi} \long\def\ssss#1#2\stest{\funnytrue {\uccode`#1=`~ \uppercase{\ifcat\noexpand#1}\noexpand~% active funny space \else \escapechar=\if*#1`?\else`*\fi \if#1\string#1\global\explicittrue\fi \fi}} \long\def\sssss#1\stest{\spacefalse} \endtt \bugonpage A444, lines 15--26 (3/26/91) \ninepoint \textindent{\bf14.}If the current item is an Ord atom, go directly to Rule~17 unless all of the following are true: The nucleus is a symbol; the subscript and superscript are both empty; the very next item in the math list is an atom of type Ord, Op, Bin, Rel, Open, Close, or Punct; and the nucleus of the next item is a symbol whose family is the same as the family in the present Ord atom. In such cases the present symbol is marked as a text symbol. If the font information shows a ligature between this symbol and the following one, using the specified family and the current size, then insert the ligature character and continue as specified by the font; in this process, two characters may collapse into a single Ord text symbol, and/or new Ord text characters may appear. If the font information shows a kern between the current symbol and the next, insert a kern item following the current atom. As soon as an Ord atom has been fully processed for ligatures and kerns, go to Rule~17. % volume B \hsize=35pc \def\\#1{\hbox{\it#1\/\kern.05em}} % italic type for identifiers \def\to{\mathrel{.\,.}} % double dot, used only in math mode % volume C \hsize=29pc \def\\#1{\hbox{\it#1\/\kern.05em}} % italic type for identifiers \bugonpage C262, line 15 (3/26/91) \ninepoint\noindent |string base_name, base_version; base_name="plain"; base_version="2.7";| \bugonpage C271, line 17 from the bottom (3/26/91) \ninepoint\noindent | currentpen_path shifted (z.t_) withpen penspeck enddef;| \bugonpage C347, Bront''e entry (1/29/91) \eightpoint\noindent [The accent was clobbered; her name should, of course, be Bront\"e. Fix the entries for D\"urer, M\"obius, and Stravinsky in the same way.] % Volume D \hsize=35pc \def\\#1{\hbox{\it#1\/\kern.05em}} % italic type for identifiers \def\to{\mathrel{.\,.}} % double dot, used only in math mode % volume E \hsize=29pc \def\dashto{\mathrel{\hbox{-\kern-.05em}\mkern3.9mu\hbox{-\kern-.05em}}} \bye ######################################################################## Differences between TeX.WEB 3.14 as of 18 March 1991 and as of 26 Mar 1991 ************ File SYSA:[TEX.TEX]TEX-314.WEB;1 (42) % Version 3.14 was a cosmetic change for new Volume B (February 1991). % A reward of $327.68 will be paid to the first finder of any remaining bug, ****** File PRG:[TEX.NEW]TEX-314.NEW;1 (42) % Version 3.14 fixed unprintable font names and corrected typos (March 1991). % A reward of $327.68 will be paid to the first finder of any remaining bug, ************ ************ File SYSA:[TEX.TEX]TEX-314.WEB;1 (1571) print(s); end; @ An array of digits in the range |0..15| is printed by |print_the_digs|. ****** File PRG:[TEX.NEW]TEX-314.NEW;1 (1571) slow_print(s); end; @ An array of digits in the range |0..15| is printed by |print_the_digs|. ************ ************ File SYSA:[TEX.TEX]TEX-314.WEB;1 (5576) else begin print_esc(""); slow_print(text(p)); print_char(" "); ****** File PRG:[TEX.NEW]TEX-314.NEW;1 (5576) else begin print_esc(text(p)); print_char(" "); ************ ************ File SYSA:[TEX.TEX]TEX-314.WEB;1 (5591) else begin print_esc(""); slow_print(text(p)); end; end; ****** File PRG:[TEX.NEW]TEX-314.NEW;1 (5591) else print_esc(text(p)); end; ************ ************ File SYSA:[TEX.TEX]TEX-314.WEB;1 (12693) An integer variable |k| will be declared for use by this routine. ****** File PRG:[TEX.NEW]TEX-314.NEW;1 (12692) If |total_pages>=65536|, the \.{DVI} file will lie. An integer variable |k| will be declared for use by this routine. ************ ************ File SYSA:[TEX.TEX]TEX-314.WEB;1 (12711) dvi_out(total_pages div 256); dvi_out(total_pages mod 256);@/ @; ****** File PRG:[TEX.NEW]TEX-314.NEW;1 (12711) dvi_out((total_pages div 256) mod 256); dvi_out(total_pages mod 256);@/ @; ************ Number of difference sections found: 6 Number of difference records found: 7 DIFFERENCES /IGNORE=()/MERGED=1/OUTPUT=PRG:[TEX.NEW]TEX-314.DIF;1- SYSA:[TEX.TEX]TEX-314.WEB;1- PRG:[TEX.NEW]TEX-314.NEW;1 ######################################################################## Differences between MF.WEB 2.7 as of 13 March 1991 and as of 26 Mar 1991 ************ File SYSA:[TEX.MF]MF-27.WEB;2 (21835) \\{xxx} commands might appear anywhere in \.{GF} files generated by other processors. It is recommended that |x| be a string having the form of a ****** File PRG:[TEX.NEW]MF.WEB;1 (21835) \\{xxx} commands might appear within characters, in \.{GF} files generated by other processors. It is recommended that |x| be a string having the form of a ************ Number of difference sections found: 1 Number of difference records found: 2 DIFFERENCES /IGNORE=()/MERGED=1/OUTPUT=PRG:[TEX.NEW]MF-27.DIF;1- SYSA:[TEX.MF]MF-27.WEB;2- PRG:[TEX.NEW]MF.WEB;1 ######################################################################## %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Character code reference %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % Upper case letters: ABCDEFGHIJKLMNOPQRSTUVWXYZ % Lower case letters: abcdefghijklmnopqrstuvwxyz % Digits: 0123456789 % Square, curly, angle braces, parentheses: [] {} <> () % Backslash, slash, vertical bar: \ / | % Punctuation: . ? ! , : ; % Underscore, hyphen, equals sign: _ - = % Quotes--right left double: ' ` " %"at", "number" "dollar", "percent", "and": @ # $ % & % "hat", "star", "plus", "tilde": ^ * + ~ % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% [ end of message 029 ] -------