blob: 0e54923b571a8285151acd66dbebddfb2fc1cda8 [file] [log] [blame]
# Check the presence of "mpost" in LaTeX sources
# A POC of an arbitrary code execution vulnerability in the default
# configuration of TeX packages was disclosed at
# TeX Live 2016 is updated on November 30, 2016 to plug the security hole
# by removing "mpost" from the "shell_escape_commands" variable of default
# texmf configuration.
# However, depending on the customization of a user, he/she can still be
# affected after the update.
# To prevent exploitation of the vulnerability, this script checks
# if "mpost" is present in source files of perfbook.
# If the vulnerability is fixed in your TeX environment, the check is
# skipped.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, you can access it online at
# Copyright (C) Akira Yokosawa, 2016
# Authors: Akira Yokosawa <>
# Instruction to plug the security hole
# (based on (in Japanese),
# translated and supplemented by Akira Yokosawa)
# 1. Test the config of your TeX environment
# Enter the following in a command shell:
# $ kpsewhich -var-value=shell_escape_commands
# Example output:
# bibtex,bibtex8,extractbb,kpsewhich,makeindex,mpost,repstopdf
# If "mpost" appears in the output, your setting is vulnerable.
# Following variants of "mpost" are also vulnerable:
# pmpost
# jmpost
# upmpost
# Note:
# "rmpost" and "rpmpost" in the list are known to be safe.
# 2. Solution
# 2-1. Update TeX distribution if possible
# However, depending on your customization, you may still be vulnerable.
# Do Step 1 again after the update.
# If you are still vulnerable, proceed to Step 2-2.
# 2-2. Modify texmf configuration
# 2-2-1. Using tlmgr
# If tlmgr is available, enter the following command in a command shell:
# $ tlmgr conf texmf shell_escape_commands [list]
# Here, [list] is a command list displayed in Step 1 with "mpost," removed,
# e.g.:
# $ tlmgr conf texmf shell_escape_commands \
# > bibtex,bibtex8,extractbb,kpsewhich,makeindex,repstopdf
# 2-2-2. Manual fix
# If tlmgr is not available, proceed as follows:
# o Search effective texmf.cnf
# Enter the following command:
# $ kpsewhich texmf.cnf
# The path displayed is the effective one.
# o Edit the texmf.cnf to remove "mpost" from shell_escape_commands
# If there is a line beginning with "shell_escape_commands=" in the
# texmf.cnf file, edit it to remove "mpost,".
# If there is not such a line, add a line of:
# shell_escape_commands=[list]
# where [list] is again a command list displayed in Step 1 with "mpost,"
# removed, e.g.:
# shell_escape_commands=bibtex,bibtex8,extractbb,kpsewhich,makeindex,repstopdf
# Note:
# If the effective texmf.cnf has a comment saying not to edit it directly,
# follow the instruction given there.
dogrep() {
texsrc=`find . -name "*.tex" -print`
bibsrc=`find . -name "*.bib" -print`
stysrc=`find . -name "*.sty" -print`
clssrc=`find . -name "*.cls" -print`
bstsrc=`find . -name "*.bst" -print`
perfbooksrc="$texsrc $bibsrc $stysrc $clssrc $bstsrc"
if grep -w -n "mpost" $perfbooksrc || \
grep -w -n "[jp]mpost" $perfbooksrc || \
grep -w -n "upmpost" $perfbooksrc
echo "#####################################################"
echo "## 'mpost' is found in LaTeX sources. Aborting... ##"
echo "## Refer to comment in utilities/ ##"
echo "#####################################################"
exit 1
if which kpsewhich >/dev/null
command_list=`kpsewhich -var-value=shell_escape_commands`
if echo $command_list | grep -w -q "mpost" || \
echo $command_list | grep -w -q "[jp]mpost" || \
echo $command_list | grep -w -q "upmpost"
echo "kpsewhich -var-value=shell_escape_commands"
echo $command_list
echo "WARNING: Refer to utilities/ for texmf config fix."
exit 0
exit 0