Package: texlive-extra-utils Version: 2018.20190131-1 Severity: normal Tags: patch upstream Forwarded: https://gitlab.com/latexpand/latexpand/merge_requests/6
In the latexpand script, the detection of comments is buggy: if a % is not at the beginning of a line, it will not be regarded as introducing a comment, unless it is preceded by a backslash; in short, the meaning of a backslash has been reversed. This means that if one has a line like % and then \input it with a command in babelbst.tex. (with a space before the "%"), latexpand attempts to open the file named "it". I don't think this is a security bug, but users should be careful when working on 3rd-party .tex files, if sanitization does not take care of this bug and other limitations. I've attached a patch. This may not be sufficient because code like \\% is not considered, but the behavior has improved. -- Package-specific info: IMPORTANT INFORMATION: We will only consider bug reports concerning the packaging of TeX Live as relevant. If you have problems with combination of packages in a LaTeX document, please consult your local TeX User Group, the comp.text.tex user group, the author of the original .sty file, or any other help resource. In particular, bugs that are related to up-upstream, i.e., neither Debian nor TeX Live (upstream), but the original package authors, will be closed immediately. *** The Debian TeX Team is *not* a LaTeX Help Desk *** If you report an error when running one of the TeX-related binaries (latex, pdftex, metafont,...), or if the bug is related to bad or wrong output, please include a MINIMAL example input file that produces the error in your report. Please run your example with (pdf)latex -recorder ... (or any other program that supports -recorder) and send us the generated file with the extension .fls, it lists all the files loaded during the run and can easily explain problems induced by outdated files in your home directory. Don't forget to also include minimal examples of other files that are needed, e.g. bibtex databases. Often it also helps to include the logfile. Please, never send included pictures! If your example file isn't short or produces more than one page of output (except when multiple pages are needed to show the problem), you can probably minimize it further. Instructions on how to do that can be found at http://www.minimalbeispiel.de/mini-en.html (english) or http://www.minimalbeispiel.de/mini.html (german) ################################## minimal input file ################################## other files ###################################### List of ls-R files -rw-r--r-- 1 root root 2879 2019-02-12 01:34:10 /var/lib/texmf/ls-R lrwxrwxrwx 1 root root 29 2018-09-02 14:32:33 /usr/share/texmf/ls-R -> /var/lib/texmf/ls-R-TEXMFMAIN lrwxrwxrwx 1 root root 31 2019-01-31 04:53:23 /usr/share/texlive/texmf-dist/ls-R -> /var/lib/texmf/ls-R-TEXLIVEDIST lrwxrwxrwx 1 root root 31 2019-01-31 04:53:23 /usr/share/texlive/texmf-dist/ls-R -> /var/lib/texmf/ls-R-TEXLIVEDIST ###################################### Config files -rw-r--r-- 1 root root 475 2018-09-02 20:20:53 /etc/texmf/web2c/texmf.cnf lrwxrwxrwx 1 root root 33 2019-01-31 04:53:23 /usr/share/texmf/web2c/fmtutil.cnf -> /var/lib/texmf/fmtutil.cnf-DEBIAN lrwxrwxrwx 1 root root 32 2019-01-31 04:53:23 /usr/share/texmf/web2c/updmap.cfg -> /var/lib/texmf/updmap.cfg-DEBIAN -rw-r--r-- 1 root root 5089 2019-02-02 17:01:20 /var/lib/texmf/tex/generic/config/language.dat ###################################### Files in /etc/texmf/web2c/ total 8 -rw-r--r-- 1 root root 283 2014-10-21 02:46:09 mktex.cnf -rw-r--r-- 1 root root 475 2018-09-02 20:20:53 texmf.cnf ###################################### md5sums of texmf.d ca40c66f144b4bafc3e59a2dd32ecb9c /etc/texmf/texmf.d/00debian.cnf -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-3-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages texlive-extra-utils depends on: ii libunicode-linebreak-perl 0.0.20170401-1+b1 ii python 2.7.15-4 ii tex-common 6.10 ii texlive-base 2018.20190131-1 ii texlive-binaries 2018.20181218.49446-1 ii texlive-latex-base 2018.20190131-1 Versions of packages texlive-extra-utils recommends: ii ghostscript 9.26a~dfsg-0+deb9u1 ii libfile-homedir-perl 1.004-1 ii libyaml-tiny-perl 1.73-1 ii ruby 1:2.5.1 ii texlive-latex-recommended 2018.20190131-1 Versions of packages texlive-extra-utils suggests: ii chktex 1.7.6-2+b1 ii dvidvi 1.0-8.2+b1 ii dvipng 1.15-1.1 ii fragmaster 1.7-8 ii lacheck 1.26-17 ii latexdiff 1.3.0-1 ii latexmk 1:4.61-0.1 ii purifyeps 1.1-2 pn xindy <none> Versions of packages tex-common depends on: ii dpkg 1.19.4 ii ucf 3.0038+nmu1 Versions of packages tex-common suggests: ii debhelper 12.1 Versions of packages texlive-extra-utils is related to: ii tex-common 6.10 ii texlive-binaries 2018.20181218.49446-1 -- debconf information excluded -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--- a/texmf-dist/scripts/latexpand/latexpand 2018-05-01 19:35:37.000000000 +0200 +++ b/texmf-dist/scripts/latexpand/latexpand 2019-02-16 00:29:55.279697355 +0100 @@ -213,7 +213,7 @@ unless ($keep_includes) { if (my ($before, $ignored, $full_filename, $after) - = /^(([^%]|[^\\]%)*)\\include[{\s]+(.*?)[\s}](.*)$/) { + = /^(([^%]|\\%)*)\\include[{\s]+(.*?)[\s}](.*)$/) { $full_filename = find_tex_file($full_filename . ".tex"); if ($full_filename) { say $prefix . "Found include for file: $full_filename\n"; @@ -231,7 +231,7 @@ $_ = ""; } } elsif (my ($before, $ignored, $full_filename, $after) - = /^(([^%]|[^\\]%)*)\\input[{\s]+(.*?)[\s}](.*)$/) { + = /^(([^%]|\\%)*)\\input[{\s]+(.*?)[\s}](.*)$/) { if ($inside_import) { $full_filename = $inside_import . $full_filename; } @@ -255,7 +255,7 @@ $_ = ""; } } elsif (my ($before, $ignored, $dir, $full_filename, $after) - = /^(([^%]|[^\\]%)*)\\(?:sub)?import[{\s]+(.*?)[\s}][{\s]+(.*?)[\s}](.*)$/) { + = /^(([^%]|\\%)*)\\(?:sub)?import[{\s]+(.*?)[\s}][{\s]+(.*?)[\s}](.*)$/) { if ($explain) { print "% dir " . $dir ."\n"; print "% full_filename " . $full_filename ."\n"; @@ -290,7 +290,7 @@ $_ = ""; } } elsif (my ($before, $ignored, $args, $full_filename, $after) - = /^(([^%]|[^\\]%)*)\\includegraphics[\[\s]+(.*?)[\s\]][{\s]+(.*?)[\s}](.*)$/) { + = /^(([^%]|\\%)*)\\includegraphics[\[\s]+(.*?)[\s\]][{\s]+(.*?)[\s}](.*)$/) { if ($explain) { print "% inside_import " . $inside_import ."\n"; print "% before " . $before ."\n"; @@ -305,7 +305,7 @@ $_ = ""; } } elsif (my ($before, $ignored, $args, $full_filename, $after) - = /^(([^%]|[^\\]%)*)\\lstinputlisting[\[\s]+(.*?)[\s\]][{\s]+(.*?)[\s}](.*)$/) { + = /^(([^%]|\\%)*)\\lstinputlisting[\[\s]+(.*?)[\s\]][{\s]+(.*?)[\s}](.*)$/) { if ($explain) { print "% inside_import " . $inside_import ."\n"; print "% before " . $before ."\n";