I am wondering if texlive-full is bearing any security issues? Why everybody does trust it? Are they checked by anybody?
Thanks for helping and educating me on this point :)
Asked
Active
Viewed 4,460 times
11
Joseph Wright
- 259,911
- 34
- 706
- 1,036
Barbara
- 111
4 Answers
9
TeX Live consists of a relatively small number of executable items and a large number of 'other things', principally LaTeX packages, fonts and documentation (PDF files). The standard settings for the binary part of the set up are 'cautious' about potential security risks in the (La)TeX parts of the system, but these are likely to be more theoretical than actual. To the best of my knowledge there has not been an attempt to send to CTAN, and thus to TeX Live, a LaTeX package which deliberately tries to use \write18 to cause trouble. The number of people who would be affected is very small, and it's extremely unlikely that a self-replicating approach would be successful. The binary parts of the system are of course of more interest in this regard, but again there are not to my knowledge any actual issues (though see Is luatex as secure as pdftex? for discussion on the affect of Lua scripting on security).
All of that said, there is no-one checking each CTAN upload for security fixes, and the TeX Live team take most of their material more-or-less directly from CTAN. As such, if you are looking for some form of 'assurance' on the code then you will have to find a downstream group doing the work. That I know of, Ubuntu do not do this, although you might be better asking on an Ubunut-specific site about that. Perhaps other operating system teams (most obviously OpenBSD) might do such work if they are very security-focussed, but again that is more about those systems than about TeX.
Joseph Wright
- 259,911
- 34
- 706
- 1,036
-
Example for security issues found in a texlive component: https://rhn.redhat.com/errata/RHSA-2012-0137.html – moooeeeep Nov 02 '16 at 08:24
8
If you are paranoid enough, then you could download the complete source code, read it and the compile it yourself.
However, due to the fact, that most users are not computer scientists, we have to trust the developers of all software we use. In fact we have to trust the manufacturers of everything we do not build/program/make ourselves.
However, open source software provides you and the rest of the world with the source codes. So, the general idea is, that if there was any flaw in the software, it will be noticed and reported by somebody. With closed source software, there is no such thing.
Dohn Joe
- 1,912
-
Hello Dohn Joe, thank you for the reply. That is something I also do value on the open source software. What I doubt is that the texlive-full package for linux is used by enough users to disclose any bugs or malware? As I know many would just use the basic packages. Please correct me if I am wrong. – Barbara Sep 23 '13 at 11:30
-
Who guarantees that there are no security risks in other big software packages? Nobody. However, I put more trust in software developed by the open source community than software made by big profit-hungry and user-data-hungry corporations.
You can always go minimalist and install only the packages you really need. Then you avoid having packages on your machine that you don't ever use.
– Dohn Joe Sep 23 '13 at 11:44 -
1@user37113 Do you even know what
texlive-fullis? It is a meta package, that just instructs Ubuntu (and similar) so install a long list oftexlive-packages. So asling whethertexlive-fullhas any malware does not make sense. – daleif Sep 23 '13 at 11:45 -
Dear daleif could you please elaborate on why do you thing it is not possible to include a malware on the texlive-full? My thinking is that the basic version is used by allmost everyone, but the full-version includes really everything an it would be easy to hide or oversee there something. – Barbara Sep 23 '13 at 11:48
-
By the way, the greatest security risk in modern day life is user himself, e.g. trading security for comfort of use. Furthermore, a TeX package seems a rather odd point of entry into someone system. – Dohn Joe Sep 23 '13 at 11:49
-
3As mentioned it is a meta package, it does not install anything on its own. It only instructs the system on which packages to install. You will have to check the packages that it lists, but on its own it does not install anything. Why down you just download the corresponding
.deband see for your self. I just did. – daleif Sep 23 '13 at 11:59 -
2@user37113 'Most people' is a tricky term. Like many other 'serious' TeX users, I install TeX Live using the version from TUG, which includes everything that is in
texlive-fullbut is more up to date. That probably applies to many other people active here, but that doesn't mean it's general for all TeX users. Most of the binaries are in a small number of packages: almost all of the TeX code is from CTAN, and that I know of there has not been a security-related dodgy uploaded in the time I've used TeX (~ 10 years). – Joseph Wright Sep 23 '13 at 12:07 -
I installed the ubuntu packages through apt-get texlive-full, but I noticed that everyone can design and submit package to texlive, which means it could be potentially unsafe? Sorry for bothering question but I am really confused on the texlive packages and how the security issue is handled. I know that ubuntu is checking stuff in main repository bud does not do it for the universe repositories. – Barbara Sep 23 '13 at 12:09
-
@JosephWright: Dear Joseph, thank you for your oppinion. What I want to know is wheather the full-version is checked before it is possible to download it or the bugs are discovered "on the fly" while people use it? – Barbara Sep 23 '13 at 12:28
-
@user37113, how? Each package has a maintainer. By default LaTeX cannot run external programs, so how should an attacker be able to do anything. Sorry, but you sound more like a troll to me. – daleif Sep 23 '13 at 12:31
-
@daleif: Dear daleif, sorrry if it sounds like this. I am just a little bit afraid I did something wrong with the "sudo" command. I am a long-year office user and now switching to ubuntu and latex. Since I have a lot of data on my 1 TB HD I do all the installations just from main-repo. The texlive version in the "texlive-full" version is unfortunatelly in the universe repository, which means I nead to trust the texlive guys.I just noticed that it is possible to submit an own package to texlive and do not know the security policy of texlive producer (which I guess is tug?).Didn't mean to offend – Barbara Sep 23 '13 at 12:40
-
TUG does not produce the packages for Ubuntu. They have nothing to do with the
.debpackages being produced. Some volunteers maintain the.debpackages. And yes, you have to trust them. In the same way as you will have to trust all the other providers of the software you use. – daleif Sep 23 '13 at 12:58 -
Everyone can make f***'ups with the sudo command. But in that sense,
sudo apt-get ...something from universe, is a lot safer than the human errors being made by users usingsudotrying to follow something on a page they found on google. – daleif Sep 23 '13 at 12:59 -
Your biggest concern should be for packages (and there are very, very few) that require you to use the option
-shell-escape, which allows TeX to start its own sub-shell and do 'extra' things. (And in fact, all the packages which require it that I've used are legit and not harmful.) But if you like to be super-safe, follow @NicolaTalbot's advice (above). Otherwise, the default TeX Live security settings for reading and writing to files is sensible and sane and (definitely) followed in the Debian versions. – jon Sep 23 '13 at 13:11 -
The other suggestion is: delete all the packages you know you aren't going to use. If, say, all you planned to do was write English language novels, for instance, you could get by with a small set of packages. If you don't care about fonts, you could get rid of a lot of them too. Etc., etc. You do need to be careful about not deleting too much, of course. (My wife's brother once tried to free up space on his family's computer as a teenager and so went about deleting all kinds of system files and
.dllfiles with predictable results.) – jon Sep 23 '13 at 13:14
7
note that everything in tex live comes from ctan, one way or another.
there have, in my time as a ctan manager, been two notifications of virus "detection" on ctan. the first, back in the '90s, complained about a file whose name matched some known virus at the time; its contents were of course, entirely harmless.
the second was more recent, but again proved a false alarm.
i have heard that at least some people run virus scanners over a copy of the ctan stuff; those people don't report any issues to us.
in my opinion, there is no more than a minuscule chance of problems with tex code from ctan, provided that you're careful with any use of \write 18 to get data from outside tex. i've never heard of any problem reports, even from that (admittedly dodgy) facility.
wasteofspace
- 5,352
-
Dear wasteofspace, it really a good news. But can you please tell me if all the texlive packages (texlive-full in linux) is checked by ctan/tug before a new version is released? – Barbara Sep 23 '13 at 18:34
-
@Barbara They are not, but even if they were, it wouldn't really matter since they are not signed. You could never be assured that what you are downloading is actually what was checked. – StrongBad Sep 23 '13 at 19:56
-
@Barbara: These "packages" come from some other source than CTAN/TUG; typically an operating system vendor. Please contact these sources. – Martin Schröder Sep 24 '13 at 08:58
3
I believe the vast majority of TeX Live is devoted to fonts and macro packages. These are passive files that do not do anything and cannot be "run" and are therefore safe. There are a small number of executable binary files (e.g., pdflatex) and scripts (latexdiff) that are intended to do things and therefore can pose security risks. From this question of mine, I believe the binaries are built from source by the TeX Live team. This means that there is the additional chance that a malicious CTAN contribution that requires compiling will be caught by the CTAN team. All bets are off for scripts on the other hand. You should be wary when running esoteric scripts and binaries.
For packages, it is possible that a LaTeX file could load a package such that when compiled by pdflatex that it acts as malware. Running a new version of pdflatex, where \openout is sandboxed, without shell-escape enabled should reduce these risks. Again, for esoteric packages, you should take a look at what it does.
-
Dear Daniel, do I understand correctly, that I can relly install the sudo apt-get texlive-full without any doubt (it is the 2009 version on Ubuntu 12.04 LTS). Just runnig a TeX-Document/Template can be dangerous? – Barbara Sep 23 '13 at 13:23
-
I would be willing to go out on a limb and say that installing a signed version of the
texlivepackage is perfectly safe. Running any of the binaries or scripts, on the other hand, has the potential for bad things to happen. – StrongBad Sep 23 '13 at 13:35
texlive-full. In many cases, Linux users will not be using the TL provided by their Linux, since it is not updated at a good enough pace. That being said, I'm not aware of any security problems. There was an article a few years ago. But those problems was mostly MikTeX related (fixed in a week) and the other issues are deemed academic. – daleif Sep 23 '13 at 11:27\write18to execute harmful code you can runtexwith-no-shell-escape– Nicola Talbot Sep 23 '13 at 12:03\write18, and easily checked intexmf.cnffor the paranoid. – Joseph Wright Sep 23 '13 at 12:04sharemethod, of course one can see them inLinkedQ's list irrespective of any format pasted. – texenthusiast Sep 24 '13 at 03:11