Hi Rafael! You wrote:
> The mimep program is very handy and it is a pity that it has been excluded > from the mp package. However, I fully understand the maintainer's concerns > about vulnerabilities related to the use of tempnam. > > I prepared a quite trivial patch (attached below) that replaces calls to > tempnam by calls to mkstemp. Thanks! > Still, I do not understand what is meant by "insecure calls to LaTeX and > dvips". The problem is that mimep puts the input literally in a LaTeX file. An attacker could use this to put TeX and dvips specials in the original mail thereby effectively hijacking the LaTeX and dvips sessions run by mimep, and possible executing arbitrary code without the user being aware. I guess the issue could be solved by escaping all backslahes in the input document. I'll look into this. > I am also attaching below a patch to allow the TMPDIR environment variable. > The priority order is MIMEPTMDIR -> TMPDIR -> "/tmp". Great, thanks! > Please, reconsider the inclusion of the mimep program into the mp package. I will. The TeX issue shouldn't be hard to fix, and the other issues should be resolved by your patches. Thanks! Bas. -- Kind regards, +--------------------------------------------------------------------+ | Bas Zoetekouw | GPG key: 0644fab7 | |----------------------------| Fingerprint: c1f5 f24c d514 3fec 8bf6 | | [EMAIL PROTECTED] | a2b1 2bae e41f 0644 fab7 | +--------------------------------------------------------------------+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
