Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reconsider default use of --shell-escape #195

Open
William957-web opened this issue Sep 19, 2024 · 7 comments
Open

Reconsider default use of --shell-escape #195

William957-web opened this issue Sep 19, 2024 · 7 comments

Comments

@William957-web
Copy link

How can I report if I found out a vulnerability on this application?

@alexandervdm
Copy link
Owner

Assuming this is not a hypothetical, please email me directly on gummi@{the domain in my github profile}

@William957-web
Copy link
Author

William957-web commented Sep 19, 2024

@alexandervdm
Already emailed, check your inbox~
Re: The vendor already contected me with the issue!

@mdosch
Copy link

mdosch commented Oct 26, 2024

So, what was the outcome? Is there a vulnerability?

@alexandervdm
Copy link
Owner

@alexandervdm Already emailed, check your inbox~

The phrasing of this comment could be interpreted by a reader to mean that I missed/ignored an earlier email, but just so there's no confusion I want to make it clear that our email exchange happened right after I responded here on the Github issue on Sept 19.

So, what was the outcome? Is there a vulnerability?

The issue pointed out by @William957-web refers to the fact that Gummi by default enables the "--shell-escape" flag on the LaTeX compiler command used for its live preview. This could be abused if you were to open a document from a bad actor that includes destructive or otherwise malicious commands.

This flag however is a necessity when using popular packages that run external commands like TikZ, gnuplot and many others. Like most security related design decisions, this strikes at the tension between absolute security and optimal user experience. I'm weighing some options but have not made a decision about implementing any of them and also see no need for immediate action at this time.

@William957-web
Copy link
Author

William957-web commented Oct 28, 2024

@alexandervdm
Sorry for my inconsiderate action, I commented that just to give you a notification...
Tkx again for the detailed reply, I really like this project anyway and still using it!
P.S. Btw, can I request a CVE ID for this?

@alexandervdm
Copy link
Owner

That's quite alright, I just wanted to clarify the timeline.

I don't know the qualifications for a CVE so this is speculation, but I'd lean towards no. After all, is for example the Python interpreter vulnerable because you can open a .py file that includes a line such as os.system("rm -rf ~/")?

With regards to the issue you reported, I admit the current approach is not ideal so I'm keeping this topic open for future reference and discussion.

@alexandervdm alexandervdm changed the title How can I report if I found out a vulnerability on this application Reconsider default use of --shell-escape Oct 30, 2024
@maymage
Copy link

maymage commented Nov 27, 2024

This might be a good reason to shift to flatpak/snap distribution (only) ** cough, cough **

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants