LaTeX and BIBTeX are insecure

Posted on Updated on

Please note that some of the LaTeX code was not translated corrected when I moved this blogpost to WordPress.com from Posterous.com

Have you ever cursed about the obscurities of the LaTeX document preparation system? Strange error messages, float placements, wrapping around figures (with “wrapfig”), LaTeX styles, bibliography styles, not being able to remember specific commands, etc. Particularly the wrapfigure appears to me as unpredictable. It ain’t “what you write is what you get” to me. I suppose that if you understood the internal intricacies of TeX you float in heaven, but there is less hope for us that are still unsure what the meaning of this is:

hb@xt@hsize{hfilbox@tempboxahfil}%

or this:

sfcode`.@m}

One recent issue I ran into lately was escaping in BIBTeX files. Suppose you have something like this in the bibliography database:

URL = {http://www.cse.ohio-state.edu/~agrawal/788-au10/Papers/Oct28/google-fusion-socc10.pdf},

DOI = {10.1007/978-3-540-76298-0_52},

Before you find a solution you may need to try out combinations of htmladdnormallink, href and some different escapes:


URL = {http://www.cse.ohio-state.edu/~{}agrawal/788-au10/Papers/Oct28/google-fusion-socc10.pdf},

URL = {http://www.cse.ohio-state.edu/%7Eagrawal/788-au10/Papers/Oct28/google-fusion-socc10.pdf},

DOI = {10.1007/978-3-540-76298-0_52},

My BIBTeX style file contains:


FUNCTION {format.doi}
{ doi missing$
{ "" }
{ ". DOI:~htmladdnormallink{" doi *
"}{http://dx.doi.org/" *
doi *
"}" *
}
if$
}

FUNCTION {format.url}
{ url missing$
{ "" }
{ ". htmladdnormallink{Link}{" url * "}" *
}
if$
}

Another problem is line breaking with bibtex. The bibtex program wants to line break long lines from the .bib-file. Sometimes you will get into troubles with HTML linking, something like the following may be problematic with latex compiling:


htmladdnormallink{verb!10.1126/science.1199305!}{http://dx.doi.org/10%
.1126/science.1199305}.

I have occationally wondered about the security of LaTeX as I have seen something like “@openbib@code” in style files. If you “egrep -r” your file system and search the Internet you will be able to find some commands that read and write files, and you can construct a small ‘program’:

documentclass{article}
begin{document}
newwritemyout
immediateopenoutmyout=output.txt
immediatewritemyout{Hello, World}
immediatecloseoutmyout
end{document}

With this content in a .tex-file and sent through latex you end up
with a file called ‘output.txt’ containing a ‘Hello, World’. You
could then instead write funny things in a ~/.bashrc file
presumably. Not good :-(

There hasn’t been much talk about the security of the LaTeX system. Only recently I have seen a paper exploring the issue. The authors describes DoS attack via the loop command and manage to build a small virus that nicely infects all your LaTeX files. With a bit more payload it could also botnet you computer.

The issue resembles the good old macro virus available in Microsoft Word.

I don’t think we will se a security fix for this issue. It is likely to be regarded as a feature rather than a bug. PostScript seems to have the same problem (i.e., being able to manipulate files) as far as I understand, but ghostscript has the -dSAFER option to handle unsafe documents. MediaWiki’s texvc (for the math rendering) seems not to be susceptible to the problem, but the Checkoway paper shows a number of tools having issues.

Malicious LaTeX code can also be hidden in BIBTeX files. My BIBTeX file is over 80,000 lines long and it would be difficult to check it, especially considering that LaTeX commands can be written in various ways. The LaTeX can for example be converted by a small Python program to a series of catcodes:


>>> s = r"""newwritemyout
immediateopenoutmyout=output.txt
immediatewritemyout{Hello, World}
immediatecloseoutmyout"""
>>> "".join(map(lambda i: "^^%x" % ord(i), s))

So this LaTeX file will also write a file (don’t latex this code):

\documentclass{article}
\begin{document}
^^5c^^6e^^65^^77^^77^^72^^69^^74^^65^^5c^^6d^^79^^6f^^75^^74^^a^^20^^20^^5c^^69^^6d^^6d^^65^^64^^69^^61^^74^^65^^5c^^6f^^70^^65^^6e^^6f^^75^^74^^5c^^6d^^79^^6f^^75^^74^^3d^^6f^^75^^74^^70^^75^^74^^2e^^74^^78^^74^^a^^20^^20^^5c^^69^^6d^^6d^^65^^64^^69^^61^^74^^65^^5c^^77^^72^^69^^74^^65^^5c^^6d^^79^^6f^^75^^74^^7b^^48^^65^^6c^^6c^^6f^^2c^^20^^57^^6f^^72^^6c^^64^^7d^^a^^20^^20^^5c^^69^^6d^^6d^^65^^64^^69^^61^^74^^65^^5c^^63^^6c^^6f^^73^^65^^6f^^75^^74^^5c^^6d^^79^^6f^^75^^74
\end{document}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s