19

There are a large number of packages (plus some classes) uploaded and updated in CTAN (other mirrors as well). How do the CTAN maintainers make sure the uploaded stuff is free of malicious code? Do they use a sophisticated script (like anti-virus checkers probably use) to parse the code to check for cleanness?

Alan Munn
  • 218,180
kiss my armpit
  • 36,086
  • 5
    I'm not aware of any check done by the CTAN maintainers. With the default settings TeX is limited in its power to read and write files on the computer and therefore LaTeX packages and classes aren't a big thread. – Martin Scharrer Mar 18 '13 at 11:18
  • 1
    Moreover, you can disable writing to a greater or lesser extent depending on how paranoid you are. – Joseph Wright Mar 18 '13 at 11:20
  • How about packages that need -shell-escape? Do they pass them without any security check? – kiss my armpit Mar 18 '13 at 11:27
  • @Karl'sstudents No checks are made on the code, although the occasional loss of a file is picked up by the CTAN guys. – Joseph Wright Mar 18 '13 at 12:06
  • Martin: Good comment. But you mean packages and classes aren't a big threat, right? – Matthew Leingang Mar 18 '13 at 12:30
  • 6
    I think a cost-benefit analysis predicts not much to be gained from writing a virus into a LaTeX package or class. First, you limit the susceptible audience to LaTeX users. Then, you need to design a fake package or class (with documentation) that a good portion of users will be tempted into using. Then you have to obscure the actual function within the package's code, which will be visible to all users. So a lot of work for not much impact. – Matthew Leingang Mar 18 '13 at 12:35
  • @Karl'sstudents Sorry to distract this interesting discussion, but: Yet another name? Are we supposed to remember them all to be able to recognize you? Maybe better to remember just user:19356 ;) – yo' Mar 18 '13 at 13:56
  • If the CTAN maintainers did somehow "vet" the code and place some sort of stamp of approval on it, and something malicious did slip through the cracks, that would seem to open them up to damage litigation; I doubt they'd want to do that. (That's basically the same reason why pretty much every open-source license, and probably most others as well, explicitly state that the licensed work is not guaranteed in any way to do what it says on the tin; if it breaks, you get to keep both pieces, but that's about it.) – user Mar 18 '13 at 14:18
  • @tohecz: No obligation to remember me. :-) – kiss my armpit Mar 18 '13 at 14:29
  • Is it good idea to give a special tag for packages that can only work with -shell-escape such that users can easily distinguish them from the huge number of other safe packages and anticipate the potential of security vulnerability? – kiss my armpit Mar 18 '13 at 18:20
  • @CodeMocker What would the point be? If somebody has -shell-escape disabled, the security vulnerability is nullified. If somebody has it enabled, they are no better off with the flag unless an independent party verifies the flags i.e. assures people that packages X, Y and Z do not use the facilities of -shell-escape. But then somebody has to run the checks... If you rely on packages to self-declare, you might just as well use a malicious/non-malicious flag. Or did I misunderstand the idea? – cfr Feb 04 '14 at 01:21

1 Answers1

21

we don't apply any checks, since we know of no published "automatic" checks we could apply. most things submitted nowadays are simply too big for a visual check (such as i used to apply in the '90s when i first worked on ctan).

one hopes that people won't run anything with "standard" overwriting controls disabled, and we can't, of course, say anything about "unprotected" behaviour of packages (or anything else, for that matter).

in short caveat emptor...

wasteofspace
  • 5,352