utilities/mpostcheck.sh - pub/scm/linux/kernel/git/paulmck/perfbook - Git at Google

 #!/bin/sh
 # Check the presence of "mpost" in LaTeX sources
 #
 # A POC of an arbitrary code execution vulnerability in the default
 # configuration of TeX packages was disclosed at
 # https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/.
 # TeX Live 2016 is updated on November 30, 2016 to plug the security hole
 # by removing "mpost" from the "shell_escape_commands" variable of default
 # texmf configuration.
 # However, depending on the customization of a user, he/she can still be
 # affected after the update.
 #
 # To prevent exploitation of the vulnerability, this script checks
 # if "mpost" is present in source files of perfbook.
 # If the vulnerability is fixed in your TeX environment, the check is
 # skipped.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, you can access it online at
 # http://www.gnu.org/licenses/gpl-2.0.html.
 #
 # Copyright (C) Akira Yokosawa, 2016, 2019
 #
 # Authors: Akira Yokosawa <akiyks@gmail.com>
 #
 #-------------------------------------------------------------------
 # Instruction to plug the security hole
 # (based on https://zrbabbler.hatenablog.com/entry/20161206/1481039449
 # (in Japanese), translated and supplemented by Akira Yokosawa)
 #
 # 1. Test the config of your TeX environment
 #
 # Enter the following in a command shell:
 #
 #   $ kpsewhich -var-value=shell_escape_commands
 #
 # Example output:
 #
 #   bibtex,bibtex8,extractbb,kpsewhich,makeindex,mpost,repstopdf
 #
 # If "mpost" appears in the output, your setting is vulnerable.
 # Following variants of "mpost" are also vulnerable:
 #    pmpost
 #    jmpost
 #    upmpost
 #
 # Note:
 #   "rmpost", "rpmpost", "r-mpost", "r-pmpost", and "r-upmpost"
 #    in the list are known to be safe.
 #
 # 2. Solution
 #
 # 2-1. Update TeX distribution if possible
 #
 #   However, depending on your customization, you may still be vulnerable.
 #   Do Step 1 again after the update.
 #   If you are still vulnerable, proceed to Step 2-2.
 #
 # 2-2. Modify texmf configuration
 #
 # 2-2-1. Using tlmgr
 #
 #   If tlmgr is available, enter the following command in a command shell:
 #
 #   $ tlmgr conf texmf shell_escape_commands [list]
 #
 #   Here, [list] is a command list displayed in Step 1 with "mpost," removed,
 #   e.g.:
 #
 #   $ tlmgr conf texmf shell_escape_commands \
 #   > bibtex,bibtex8,extractbb,kpsewhich,makeindex,repstopdf
 #
 # 2-2-2. Manual fix
 #
 #  If tlmgr is not available, proceed as follows:
 #
 #  o Search effective texmf.cnf
 #
 #   Enter the following command:
 #
 #   $ kpsewhich texmf.cnf
 #
 #   The path displayed is the effective one.
 #
 #  o Edit the texmf.cnf to remove "mpost" from shell_escape_commands
 #
 #   If there is a line beginning with "shell_escape_commands=" in the
 #   texmf.cnf file, edit it to remove "mpost,".
 #
 #   If there is not such a line, add a line of:
 #
 #   shell_escape_commands=[list]
 #
 #   where [list] is again a command list displayed in Step 1 with "mpost,"
 #   removed, e.g.:
 #
 #   shell_escape_commands=bibtex,bibtex8,extractbb,kpsewhich,makeindex,repstopdf
 #
 # Note:
 #   If the effective texmf.cnf has a comment saying not to edit it directly,
 #   follow the instruction given there.
 #-------------------------------------------------------------------

 : ${WHICH:=command -v}

 dogrep() {
 	texsrc=`find . -name "*.tex" -print`
 	bibsrc=`find . -name "*.bib" -print`
 	stysrc=`find . -name "*.sty" -print`
 	clssrc=`find . -name "*.cls" -print`
 	bstsrc=`find . -name "*.bst" -print`
 	perfbooksrc="$texsrc $bibsrc $stysrc $clssrc $bstsrc"
 	if grep -w -n "mpost" $perfbooksrc || \
 			grep -w -n "[jp]mpost" $perfbooksrc || \
 			grep -w -n "upmpost" $perfbooksrc
 	then
 		echo "#####################################################"
 		echo "## 'mpost' is found in LaTeX sources. Aborting...  ##"
 		echo "## Refer to comment in utilities/mpostcheck.sh.    ##"
 		echo "#####################################################"
 		exit 1
 	fi
 }

 if $WHICH kpsewhich >/dev/null
 then
 	command_list_orig=`kpsewhich -var-value=shell_escape_commands`
 	command_list=`echo $command_list_orig | sed -E "s/r-u?p?mpost,//g"`
 	if echo $command_list  | grep -w -q "mpost" || \
 			echo $command_list | grep -w -q "[jp]mpost" || \
 			echo $command_list | grep -w -q "upmpost"
 	then
 		echo "kpsewhich -var-value=shell_escape_commands"
 		echo $command_list_orig
 		echo "WARNING: Refer to utilities/mpostcheck.sh for texmf config fix."
 		dogrep
 	else
 		exit 0
 	fi
 else
 	dogrep
 	exit 0
 fi
	#!/bin/sh
	# Check the presence of "mpost" in LaTeX sources
	#
	# A POC of an arbitrary code execution vulnerability in the default
	# configuration of TeX packages was disclosed at
	# https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/.
	# TeX Live 2016 is updated on November 30, 2016 to plug the security hole
	# by removing "mpost" from the "shell_escape_commands" variable of default
	# texmf configuration.
	# However, depending on the customization of a user, he/she can still be
	# affected after the update.
	#
	# To prevent exploitation of the vulnerability, this script checks
	# if "mpost" is present in source files of perfbook.
	# If the vulnerability is fixed in your TeX environment, the check is
	# skipped.
	#
	# This program is free software; you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation; either version 2 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program; if not, you can access it online at
	# http://www.gnu.org/licenses/gpl-2.0.html.
	#
	# Copyright (C) Akira Yokosawa, 2016, 2019
	#
	# Authors: Akira Yokosawa <akiyks@gmail.com>
	#
	#-------------------------------------------------------------------
	# Instruction to plug the security hole
	# (based on https://zrbabbler.hatenablog.com/entry/20161206/1481039449
	# (in Japanese), translated and supplemented by Akira Yokosawa)
	#
	# 1. Test the config of your TeX environment
	#
	# Enter the following in a command shell:
	#
	# $ kpsewhich -var-value=shell_escape_commands
	#
	# Example output:
	#
	# bibtex,bibtex8,extractbb,kpsewhich,makeindex,mpost,repstopdf
	#
	# If "mpost" appears in the output, your setting is vulnerable.
	# Following variants of "mpost" are also vulnerable:
	# pmpost
	# jmpost
	# upmpost
	#
	# Note:
	# "rmpost", "rpmpost", "r-mpost", "r-pmpost", and "r-upmpost"
	# in the list are known to be safe.
	#
	# 2. Solution
	#
	# 2-1. Update TeX distribution if possible
	#
	# However, depending on your customization, you may still be vulnerable.
	# Do Step 1 again after the update.
	# If you are still vulnerable, proceed to Step 2-2.
	#
	# 2-2. Modify texmf configuration
	#
	# 2-2-1. Using tlmgr
	#
	# If tlmgr is available, enter the following command in a command shell:
	#
	# $ tlmgr conf texmf shell_escape_commands [list]
	#
	# Here, [list] is a command list displayed in Step 1 with "mpost," removed,
	# e.g.:
	#
	# $ tlmgr conf texmf shell_escape_commands \
	# > bibtex,bibtex8,extractbb,kpsewhich,makeindex,repstopdf
	#
	# 2-2-2. Manual fix
	#
	# If tlmgr is not available, proceed as follows:
	#
	# o Search effective texmf.cnf
	#
	# Enter the following command:
	#
	# $ kpsewhich texmf.cnf
	#
	# The path displayed is the effective one.
	#
	# o Edit the texmf.cnf to remove "mpost" from shell_escape_commands
	#
	# If there is a line beginning with "shell_escape_commands=" in the
	# texmf.cnf file, edit it to remove "mpost,".
	#
	# If there is not such a line, add a line of:
	#
	# shell_escape_commands=[list]
	#
	# where [list] is again a command list displayed in Step 1 with "mpost,"
	# removed, e.g.:
	#
	# shell_escape_commands=bibtex,bibtex8,extractbb,kpsewhich,makeindex,repstopdf
	#
	# Note:
	# If the effective texmf.cnf has a comment saying not to edit it directly,
	# follow the instruction given there.
	#-------------------------------------------------------------------

	: ${WHICH:=command -v}

	dogrep() {
	texsrc=`find . -name "*.tex" -print`
	bibsrc=`find . -name "*.bib" -print`
	stysrc=`find . -name "*.sty" -print`
	clssrc=`find . -name "*.cls" -print`
	bstsrc=`find . -name "*.bst" -print`
	perfbooksrc="$texsrc $bibsrc $stysrc $clssrc $bstsrc"
	if grep -w -n "mpost" $perfbooksrc \|\| \
	grep -w -n "[jp]mpost" $perfbooksrc \|\| \
	grep -w -n "upmpost" $perfbooksrc
	then
	echo "#####################################################"
	echo "## 'mpost' is found in LaTeX sources. Aborting... ##"
	echo "## Refer to comment in utilities/mpostcheck.sh. ##"
	echo "#####################################################"
	exit 1
	fi
	}

	if $WHICH kpsewhich >/dev/null
	then
	command_list_orig=`kpsewhich -var-value=shell_escape_commands`
	command_list=`echo $command_list_orig \| sed -E "s/r-u?p?mpost,//g"`
	if echo $command_list \| grep -w -q "mpost" \|\| \
	echo $command_list \| grep -w -q "[jp]mpost" \|\| \
	echo $command_list \| grep -w -q "upmpost"
	then
	echo "kpsewhich -var-value=shell_escape_commands"
	echo $command_list_orig
	echo "WARNING: Refer to utilities/mpostcheck.sh for texmf config fix."
	dogrep
	else
	exit 0
	fi
	else
	dogrep
	exit 0
	fi