Package: auctex;
Reported by: Thomas Stenhaug <thomas.stenhaug <at> gmail.com>
Date: Fri, 13 Oct 2017 15:03:01 UTC
Severity: normal
Merged with 29249
Found in versions 11.90.2.2017, 11.91
Done: Arash Esbati <arash <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28811 in the body.
You can then email your comments to 28811 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Fri, 13 Oct 2017 15:03:01 GMT) Full text and rfc822 format available.Thomas Stenhaug <thomas.stenhaug <at> gmail.com>:bug-auctex <at> gnu.org.
(Fri, 13 Oct 2017 15:03:01 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Thomas Stenhaug <thomas.stenhaug <at> gmail.com> To: bug-auctex <at> gnu.org Subject: 11.90.2.2017-07-25; preview-at-point Date: Fri, 13 Oct 2017 16:05:44 +0200
I'm trying to run preview-at-point in the math-environment in the
following file:
--------------------------------------------------------------
\documentclass{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\begin{document}
\begin{math}
1 + 1 = 2
\end{math}
\end{document}
------------------------------------------------------------------------
When positioning the point in the math environment and typing `C-c C-p
C-p', a red sign is displayed, associated with the following Ghostscript
error:
--------------------------------------------------------------
/usr/bin/rungs -dOutputFile\=\(_region_.prv/tmp2625buv/pr1-1.png\) -q -dNOPAUSE -DNOPLATFONTS -dPrinted -dTextAlphaBits\=4 -dGraphicsAlphaBits\=4 -sDEVICE\=png16m -r103.68x103.771
GS>{<</PermitFileReading[(_region_.pdf)(_region_.prv/tmp2625buv/preview.dsc)]>> setuserparams .locksafe} stopped pop {DELAYSAFER{.setsafe}if}stopped pop/.preview-BP currentpagedevice/BeginPage get dup null eq{pop{pop}bind}if def<</BeginPage{currentpagedevice/PageSize get dup 0 get 1 ne exch 1 get 1 ne or{.preview-BP 0.980484 0.968765 0.933608 setrgbcolor clippath fill 0.394537 0.324224 0.437507 setrgbcolor}{pop}ifelse}bind/PageSize[1 1]>>setpagedevice/preview-do{[count 3 roll save]3 1 roll dup length 0 eq{pop}{setpagedevice}{ifelse .runandhide}stopped{handleerror quit}if aload pop restore}bind def /GS_PDF_ProcSet GS_PDF_ProcSet dup maxlength dict copy dup begin/graphicsbeginpage{//graphicsbeginpage exec 0.394537 0.324224 0.437507 3 copy rg RG}bind store end readonly store [(_region_.prv/tmp2625buv/preview.dsc)(r)file]aload exch dup 0 setfileposition 457()/SubFileDecode filter cvx .runandhide aload pop dup dup 457 setfileposition 51()/SubFileDecode filter cvx<<>>preview-do
Error: /undefined in .runandhide
Operand stack:
--nostringval-- --nostringval--
Execution stack:
%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- %loop_continue --nostringval-- --nostringval-- false 1 %stopped_push .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval--
Dictionary stack:
--dict:989/1684(ro)(G)-- --dict:0/20(G)-- --dict:80/200(L)--
Current allocation mode is local
Current file position is 902
GS<2>
------------------------------------------------------------------------
Ghostscript is version 9.22.
------------------------------------------------------------------------
Emacs : GNU Emacs 25.3.1 (x86_64-pc-linux-gnu, GTK+ Version 3.22.19)
of 2017-09-16
Package: 11.90.2.2017-07-25
current state:
==============
(setq
AUCTeX-date "2017-07-25"
window-system 'x
LaTeX-version "2e"
TeX-style-path '("~/.emacs.d/auctex" "/home/thomas/.emacs.d/elpa/auctex-11.91.0/style"
"/home/thomas/.emacs.d/auctex/auto" "/home/thomas/.emacs.d/auctex/style" "auto" "style")
TeX-auto-save nil
TeX-parse-self nil
TeX-master t
TeX-command-list '(("TeX" "%(PDF)%(tex) %(file-line-error) %(extraopts) %`%S%(PDFout)%(mode)%' %t"
TeX-run-TeX nil (plain-tex-mode ams-tex-mode texinfo-mode) :help "Run plain TeX")
(#("LaTeX" 0 1 (idx 0)) "%`%l%(mode)%' %t" TeX-run-TeX nil (latex-mode doctex-mode)
:help "Run LaTeX")
("Makeinfo" "makeinfo %(extraopts) %t" TeX-run-compile nil (texinfo-mode) :help
"Run Makeinfo with Info output")
("Makeinfo HTML" "makeinfo %(extraopts) --html %t" TeX-run-compile nil (texinfo-mode)
:help "Run Makeinfo with HTML output")
("AmSTeX" "amstex %(PDFout) %(extraopts) %`%S%(mode)%' %t" TeX-run-TeX nil
(ams-tex-mode) :help "Run AMSTeX")
("ConTeXt" "%(cntxcom) --once --texutil %(extraopts) %(execopts)%t" TeX-run-TeX nil
(context-mode) :help "Run ConTeXt once")
("ConTeXt Full" "%(cntxcom) %(extraopts) %(execopts)%t" TeX-run-TeX nil (context-mode)
:help "Run ConTeXt until completion")
(#("BibTeX" 0 1 (idx 1)) "bibtex %s" TeX-run-BibTeX nil t :help "Run BibTeX")
(#("Biber" 0 1 (idx 2)) "biber %s" TeX-run-Biber nil t :help "Run Biber")
(#("View" 0 1 (idx 3)) "%V" TeX-run-discard-or-function t t :help "Run Viewer")
(#("Print" 0 1 (idx 4)) "%p" TeX-run-command t t :help "Print the file")
(#("Queue" 0 1 (idx 5)) "%q" TeX-run-background nil t :help "View the printer queue"
:visible TeX-queue-command)
(#("File" 0 1 (idx 6)) "%(o?)dvips %d -o %f " TeX-run-dvips t t :help
"Generate PostScript file")
(#("Dvips" 0 1 (idx 7)) "%(o?)dvips %d -o %f " TeX-run-dvips nil t :help
"Convert DVI file to PostScript")
(#("Dvipdfmx" 0 1 (idx 8)) "dvipdfmx %d" TeX-run-dvipdfmx nil t :help
"Convert DVI file to PDF with dvipdfmx")
(#("Ps2pdf" 0 1 (idx 9)) "ps2pdf %f" TeX-run-ps2pdf nil t :help
"Convert PostScript file to PDF")
(#("Glossaries" 0 1 (idx 10)) "makeglossaries %s" TeX-run-command nil t :help
"Run makeglossaries to create glossary file")
(#("Index" 0 1 (idx 11)) "makeindex %s" TeX-run-index nil t :help
"Run makeindex to create index file")
(#("upMendex" 0 1 (idx 12)) "upmendex %s" TeX-run-index t t :help
"Run upmendex to create index file")
(#("Xindy" 0 1 (idx 13)) "texindy %s" TeX-run-command nil t :help
"Run xindy to create index file")
(#("Check" 0 1 (idx 14)) "lacheck %s" TeX-run-compile nil (latex-mode) :help
"Check LaTeX file for correctness")
(#("ChkTeX" 0 1 (idx 15)) "chktex -v6 %s" TeX-run-compile nil (latex-mode) :help
"Check LaTeX file for common mistakes")
(#("Spell" 0 1 (idx 16)) "(TeX-ispell-document \"\")" TeX-run-function nil t :help
"Spell-check the document")
(#("Clean" 0 1 (idx 17)) "TeX-clean" TeX-run-function nil t :help
"Delete generated intermediate files")
(#("Clean All" 0 1 (idx 18)) "(TeX-clean t)" TeX-run-function nil t :help
"Delete generated intermediate and output files")
(#("Other" 0 1 (idx 19)) "" TeX-run-command t t :help "Run an arbitrary command"))
)
--
Thomas
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sat, 14 Oct 2017 16:23:02 GMT) Full text and rfc822 format available.Message #8 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Thomas Stenhaug <thomas.stenhaug <at> gmail.com> To: 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sat, 14 Oct 2017 18:21:34 +0200
Thomas Stenhaug <thomas.stenhaug <at> gmail.com> writes: I meant to write "preview-at-point fails with Ghostscript-error" as subject. -- Thomas
mose <at> gnu.org (Mosè Giordano)
to control <at> debbugs.gnu.org.
(Sat, 14 Oct 2017 16:33:01 GMT) Full text and rfc822 format available.bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sat, 21 Oct 2017 14:52:02 GMT) Full text and rfc822 format available.Message #13 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Florian Stecker <m17 <at> florianstecker.de> To: bug-auctex <at> gnu.org Subject: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sat, 21 Oct 2017 11:07:03 +0200
I am having the same problem. Since Ghostscript upgraded to 9.22, preview-latex stopped working altogether, independent of the document. Sometimes I get "Error: /undefined in .runandhide" and sometimes "Error: /typecheck in --setfileposition--". I submitted a bug report to Ghostscript: https://bugs.ghostscript.com/show_bug.cgi?id=698680 Apparently they removed the .runandhide operator in version 9.22, so it is likely that this causes the problem. It would be great if someone who actually understands what preview-latex does could supply them with a sample input file and try to work out what to use instead of ".runandhide". Thank you!
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Fri, 03 Nov 2017 22:36:01 GMT) Full text and rfc822 format available.Message #16 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Arash Esbati <arash <at> gnu.org> To: Florian Stecker <m17 <at> florianstecker.de> Cc: 28811 <at> debbugs.gnu.org, ken.sharp <at> artifex.com Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Fri, 03 Nov 2017 23:34:19 +0100
Florian Stecker <m17 <at> florianstecker.de> writes:
> I am having the same problem. Since Ghostscript upgraded to 9.22,
> preview-latex stopped working altogether, independent of the
> document. Sometimes I get "Error: /undefined in .runandhide" and
> sometimes "Error: /typecheck in --setfileposition--".
>
> I submitted a bug report to Ghostscript:
>
> https://bugs.ghostscript.com/show_bug.cgi?id=698680
>
> Apparently they removed the .runandhide operator in version 9.22, so
> it is likely that this causes the problem.
Hi Florian,
thanks for the report. I can confirm that preview-latex does not work
with GS 9.22. I have the following observation when doing `C-c C-p C-d'
on circ.tex packaged with AUCTeX (on Win10):
a) When preview-latex invokes the latest `rungs' from texlive2017, I
get no errors, just no snippets to be inserted in Emacs.
b) When preview-latex invokes the latest `gswin64c (set via
`preview-gs-command'), it fails to write a file preview.dsc and gives me
this error:
--8<---------------cut here---------------start------------->8---
Running `Preview-PDF2DSC' with ``pdf2dsc circ.pdf circ.prv/tmp8548-eJ/preview.dsc''
Error: /undefinedfilename in --file--
Operand stack:
PDFfile (circ.pdf) (r)
Execution stack:
%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 2047 1 3 %oparray_pop 2046 1 3 %oparray_pop 2030 1 3 %oparray_pop 1916 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval--
Dictionary stack:
--dict:993/1684(ro)(G)-- --dict:0/20(G)-- --dict:80/200(L)--
Current allocation mode is local
Last OS error: No such file or directory
Current file position is 1822
GPL Ghostscript 9.22: Unrecoverable error, exit code 1
--8<---------------cut here---------------end--------------->8---
> It would be great if someone who actually understands what
> preview-latex does could supply them with a sample input file and try
> to work out what to use instead of ".runandhide". Thank you!
Well, the requirement above does not apply to me, but preview-latex uses
`.runandhide' in two places:
--8<---------------cut here---------------start------------->8---
(defun preview-gs-open (&optional setup)
"Start a Ghostscript conversion pass.
SETUP may contain a parser setup function."
(let ((image-info (assq preview-image-type preview-gs-image-type-alist)))
(setq preview-gs-image-type (nth 1 image-info))
(setq preview-gs-sequence nil)
(setq preview-gs-command-line (append
preview-gs-options
(nthcdr 2 image-info))
preview-gs-init-string
(format "{DELAYSAFER{.setsafe}if}stopped pop\
/.preview-BP currentpagedevice/BeginPage get dup \
null eq{pop{pop}bind}if def\
<</BeginPage{currentpagedevice/PageSize get dup 0 get 1 ne exch 1 get 1 ne or\
{.preview-BP %s}{pop}ifelse}bind/PageSize[1 1]>>setpagedevice\
/preview-do{[count 3 roll save]3 1 roll dup length 0 eq\
{pop}{setpagedevice}{ifelse .runandhide}\
stopped{handleerror quit}if \
aload pop restore}bind def "
(preview-gs-color-string preview-colors)))
(preview-gs-queue-empty)
(preview-parse-messages (or setup #'preview-gs-dvips-process-setup))))
--8<---------------cut here---------------end--------------->8---
and
--8<---------------cut here---------------start------------->8---
(defun preview-prepare-fast-conversion ()
"This fixes up all parameters for fast conversion."
(let* ((file (if (consp (car preview-ps-file))
(if (consp (caar preview-ps-file))
(car (last (caar preview-ps-file)))
(caar preview-ps-file))
(car preview-ps-file)))
(all-files (if (and (consp (car preview-ps-file))
(consp (caar preview-ps-file)))
(caar preview-ps-file)
(list file))))
(setq preview-gs-dsc (preview-dsc-parse file))
(setq preview-gs-init-string
(concat (format "{<</PermitFileReading[%s]>> setuserparams \
.locksafe} stopped pop "
(mapconcat 'preview-ps-quote-filename all-files ""))
preview-gs-init-string
(format "[%s(r)file]aload exch %s .runandhide aload pop "
(preview-ps-quote-filename file)
(preview-gs-dsc-cvx 0 preview-gs-dsc))))))
--8<---------------cut here---------------end--------------->8---
@Ken: Sorry for the late response from AUCTeX side, and many thanks for
your offer to resolve this issue. I'm not familiar enough with PS to
come up with an alternative code. Do you have a suggestion? TIA.
Best, Arash
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sat, 04 Nov 2017 16:36:01 GMT) Full text and rfc822 format available.Message #19 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Ken Sharp <ken.sharp <at> artifex.com> To: Arash Esbati <arash <at> gnu.org> Cc: 28811 <at> debbugs.gnu.org, Florian Stecker <m17 <at> florianstecker.de> Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sat, 04 Nov 2017 08:59:41 +0000
Hi Arash,
At 23:34 03/11/2017 +0100, Arash Esbati wrote:
>--8<---------------cut here---------------start------------->8---
>(defun preview-gs-open (&optional setup)
> "Start a Ghostscript conversion pass.
>SETUP may contain a parser setup function."
> (let ((image-info (assq preview-image-type preview-gs-image-type-alist)))
> (setq preview-gs-image-type (nth 1 image-info))
> (setq preview-gs-sequence nil)
> (setq preview-gs-command-line (append
> preview-gs-options
> (nthcdr 2 image-info))
> preview-gs-init-string
> (format "{DELAYSAFER{.setsafe}if}stopped pop\
>/.preview-BP currentpagedevice/BeginPage get dup \
>null eq{pop{pop}bind}if def\
><</BeginPage{currentpagedevice/PageSize get dup 0 get 1 ne exch 1 get 1 ne or\
>{.preview-BP %s}{pop}ifelse}bind/PageSize[1 1]>>setpagedevice\
>/preview-do{[count 3 roll save]3 1 roll dup length 0 eq\
>{pop}{setpagedevice}{ifelse .runandhide}\
>stopped{handleerror quit}if \
>aload pop restore}bind def "
> (preview-gs-color-string preview-colors)))
> (preview-gs-queue-empty)
> (preview-parse-messages (or setup #'preview-gs-dvips-process-setup))))
>--8<---------------cut here---------------end--------------->8---
>
>and
>
>--8<---------------cut here---------------start------------->8---
>(defun preview-prepare-fast-conversion ()
> "This fixes up all parameters for fast conversion."
> (let* ((file (if (consp (car preview-ps-file))
> (if (consp (caar preview-ps-file))
> (car (last (caar preview-ps-file)))
> (caar preview-ps-file))
> (car preview-ps-file)))
> (all-files (if (and (consp (car preview-ps-file))
> (consp (caar preview-ps-file)))
> (caar preview-ps-file)
> (list file))))
> (setq preview-gs-dsc (preview-dsc-parse file))
> (setq preview-gs-init-string
> (concat (format "{<</PermitFileReading[%s]>> setuserparams \
>.locksafe} stopped pop "
> (mapconcat 'preview-ps-quote-filename all-files ""))
> preview-gs-init-string
> (format "[%s(r)file]aload exch %s .runandhide aload pop "
> (preview-ps-quote-filename file)
> (preview-gs-dsc-cvx 0 preview-gs-dsc))))))
>--8<---------------cut here---------------end--------------->8---
>
>@Ken: Sorry for the late response from AUCTeX side, and many thanks for
>your offer to resolve this issue. I'm not familiar enough with PS to
>come up with an alternative code. Do you have a suggestion? TIA.
Well the obvious suggestion is simply 'don't use SAFER and DELAYSAFER'
because then you don't need .runandhide :-)
The problem is that PostScript is a programming language, and the snippets
above, intermingled with some other language, are a) difficult to read and
b) shorn of context. Its hard for me to pick out just the PostScript from
whatever the other language is and without knowing what the aim is its
pretty much impossible to figure out what the PostScript is doing.
At a guess, it looks like the intention is to access files outside of
Ghostscript's tree, while using the -dSAFER option, which bars access to
such files. The obvious answer to my mind is 'don't do that', apart from
anything else it seems pointless.
I don't suppose there's anyone still around who knows what the PostScript
is supposed to do ? I really need to discuss this with someone who
understands the intended purpose of that PostScript code.
In the absence of anyone who knows what the intended purpose of the code
is, then I'd need someone to capture the entire PostScript sequence being
sent to Ghostscript for the simplest possible job. I could then at least
run the file and see what it does.
I would do this myself, but I'm completely unfamiliar with AucTeX so I'd be
fumbling in the dark....
If you want to go down that route, then can I suggest reopening our bug 698680:
https://bugs.ghostscript.com/show_bug.cgi?id=698680
and attaching the PostScript file there (and any other files needed to make
the program run).
Ken
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sat, 04 Nov 2017 17:17:02 GMT) Full text and rfc822 format available.Message #22 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: David Kastrup <dak <at> gnu.org> To: Ken Sharp <ken.sharp <at> artifex.com> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sat, 04 Nov 2017 18:16:28 +0100
Ken Sharp <ken.sharp <at> artifex.com> writes: > Well the obvious suggestion is simply 'don't use SAFER and DELAYSAFER' > because then you don't need .runandhide :-) They are there for a reason, aren't they? > The problem is that PostScript is a programming language, and the > snippets above, intermingled with some other language, are a) > difficult to read and b) shorn of context. Its hard for me to pick out > just the PostScript from whatever the other language is and without > knowing what the aim is its pretty much impossible to figure out what > the PostScript is doing. It's rendering individual PostScript files in an order determined by the current position in a viewer (in this case an Emacs file), and the individual files are externally provided, so they may contain malicious code. Pretty much the principal reason for the existence of DELAYSAFER. Since the rendering order is determined interactively, different files need to be opened. Also it is hard to divert the input to an external file and it would look pointless since the main "feature" is that the end of the file is yet unknown while the start is already being interpreted. This uses Ghostscript interactively via pipes (or a tty, I forget which): if there was a mode "be unsafe on the Ghostscript interpreter command line and safe within files read from there", that would work. > At a guess, it looks like the intention is to access files outside of > Ghostscript's tree, while using the -dSAFER option, which bars access > to such files. The obvious answer to my mind is 'don't do that', apart > from anything else it seems pointless. How are safe PostScript viewers to be implemented now? -- David Kastrup
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sat, 04 Nov 2017 19:30:02 GMT) Full text and rfc822 format available.Message #25 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Ken Sharp <ken.sharp <at> artifex.com> To: David Kastrup <dak <at> gnu.org> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sat, 04 Nov 2017 19:27:39 +0000
At 18:16 04/11/2017 +0100, David Kastrup wrote:
> > Well the obvious suggestion is simply 'don't use SAFER and DELAYSAFER'
> > because then you don't need .runandhide :-)
>
>They are there for a reason, aren't they?
Yes, though I would (and have) argued against them. The interpreter is
intended to be able to access the file system (as permitted by the language
specification). Nevertheless, the capability exists to prevent that,
because people asked for it.
>It's rendering individual PostScript files in an order determined by the
>current position in a viewer (in this case an Emacs file), and the
>individual files are externally provided, so they may contain malicious
>code.
Provided they are in the current directory, as far as I'm aware you don't
need to break SAFER for them, because the Current worming directory is
permitted. I can't recall if that requires -P- or not, it may do.
>Pretty much the principal reason for the existence of DELAYSAFER.
DELAYSAFER is there to permit operations to be concluded that won't work if
you have SAFER. This is, however, a massive security hole, there are nay
number of implementations and 'recipes' out there which use SAFER and
DELAYSAFER and never call .setsafe. Also WRITESYSTEMDICT and other things.
In any event, DELAYSAFER hasn't changed.
>This uses Ghostscript interactively via pipes (or a tty, I forget
>which): if there was a mode "be unsafe on the Ghostscript interpreter
>command line and safe within files read from there", that would work.
No way that Ghostscript can tell the difference, at the interpreter level,
it all just comes in as streamed data.
>How are safe PostScript viewers to be implemented now?
Well, you can use SAFER, you can even use DELAYSAFER, that has not changed.
What I'm questioning is the use of .runandhide.
Ken
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sat, 04 Nov 2017 19:46:02 GMT) Full text and rfc822 format available.Message #28 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: David Kastrup <dak <at> gnu.org> To: Ken Sharp <ken.sharp <at> artifex.com> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sat, 04 Nov 2017 20:45:40 +0100
Ken Sharp <ken.sharp <at> artifex.com> writes: > At 18:16 04/11/2017 +0100, David Kastrup wrote: > >>It's rendering individual PostScript files in an order determined by >>the current position in a viewer (in this case an Emacs file), and the >>individual files are externally provided, so they may contain >>malicious code. > > Provided they are in the current directory, I am not sure that can be arranged. > as far as I'm aware you don't need to break SAFER for them, because > the Current worming directory is permitted. I can't recall if that > requires -P- or not, it may do. I am pretty sure that it didn't work by default. >>Pretty much the principal reason for the existence of DELAYSAFER. > > DELAYSAFER is there to permit operations to be concluded that won't > work if you have SAFER. This is, however, a massive security hole, > there are nay number of implementations and 'recipes' out there which > use SAFER and DELAYSAFER and never call .setsafe. Not preview-latex. It isn't a "security hole" unless you make it one. > Also WRITESYSTEMDICT and other things. > > In any event, DELAYSAFER hasn't changed. It's pretty pointless unless one can use .runandhide to temporarily be safe. >>This uses Ghostscript interactively via pipes (or a tty, I forget >>which): if there was a mode "be unsafe on the Ghostscript interpreter >>command line and safe within files read from there", that would work. > > No way that Ghostscript can tell the difference, at the interpreter > level, it all just comes in as streamed data. Well, then it is .runandhide . >>How are safe PostScript viewers to be implemented now? > > Well, you can use SAFER, you can even use DELAYSAFER, that has not > changed. What I'm questioning is the use of .runandhide. I repeat: the order of the files to be rendered is not known when Ghostscript is started: that depends on where the viewer is paging when Ghostscript has free capacities. This "render stuff currently on screen first" thing is pretty important for maintaining good interactivity. .runandhide is used for rendering one file safely, then get Ghostscript back into a state where it is possible to tell it via pipe to its command line what to do next. -- David Kastrup
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sat, 04 Nov 2017 23:36:01 GMT) Full text and rfc822 format available.Message #31 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Arash Esbati <arash <at> gnu.org> To: Ken Sharp <ken.sharp <at> artifex.com> Cc: 28811 <at> debbugs.gnu.org, dak <at> gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sun, 05 Nov 2017 00:34:06 +0100
Ken Sharp <ken.sharp <at> artifex.com> writes: > The problem is that PostScript is a programming language, and the > snippets above, intermingled with some other language, are a) > difficult to read and b) shorn of context. Its hard for me to pick out > just the PostScript from whatever the other language is and without > knowing what the aim is its pretty much impossible to figure out what > the PostScript is doing. Hi Ken, thanks for your response. I was afraid that the solution would not be that easy by just replacing some PostScript-code in an Elisp-function :-) > I don't suppose there's anyone still around who knows what the > PostScript is supposed to do ? I really need to discuss this with > someone who understands the intended purpose of that PostScript code. David K. is the principle author of preview-latex and he is still around. I hope he can manage to find a solution with you, somehow. > If you want to go down that route, then can I suggest reopening our > bug 698680: > > https://bugs.ghostscript.com/show_bug.cgi?id=698680 > > and attaching the PostScript file there (and any other files needed to > make the program run). Thanks for the offer. I'm looking forward to seeing if David and you can find a solution. If it comes to file exchange, we can go this route. Best, Arash
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sun, 05 Nov 2017 16:19:01 GMT) Full text and rfc822 format available.Message #34 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Ken Sharp <ken.sharp <at> artifex.com> To: David Kastrup <dak <at> gnu.org> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sun, 05 Nov 2017 16:14:28 +0000
At 20:45 04/11/2017 +0100, David Kastrup wrote:
> > Also WRITESYSTEMDICT and other things.
> >
> > In any event, DELAYSAFER hasn't changed.
>
>It's pretty pointless unless one can use .runandhide to temporarily be
>safe.
Make *what* safe ? .runandhide wasn't (directly) an aspect of SAFER or
DELAYSAFER, its perfectly possible to have, and write PostScript which is
not compatible with SAFER (and which therefore needs to be run before
SAFER) but which doesn't require ,runandhide.
>I repeat: the order of the files to be rendered is not known when
>Ghostscript is started: that depends on where the viewer is paging when
>Ghostscript has free capacities.
> This "render stuff currently on screen
>first" thing is pretty important for maintaining good interactivity.
>.runandhide is used for rendering one file safely, then get Ghostscript
>back into a state where it is possible to tell it via pipe to its
>command line what to do next.
OK bear in mind I have yet to see a complete PostScript transcript. All
I've seen is fragments, buried inside other code.
I have not said 'we're not putting it back', I've said 'let's discuss
this'. If you can please explain why you can't refactor your PostScript to
do away with .runandhide then we'll certainly consider this.
However, all I'm getting (and this may well be my faulty understanding from
the limited code I've seen) is 'put it back, because we need it and we
can't change'
Now I'm prepared to believe that, but I'd like to see why that's required,
at the moment I don't see why it is. Maybe we can suggest alternatives that
will be satisfactory.
So please; send me a simple example of the PostScript that gets sent to
Ghostscript. If you can arrange for that to be annotated with comments
explaining what the code does that would be great, if not then just the raw
code.
I do need to understand why you need .runandhide; what its doing for you
that you need to have, and can't achieve another way. I appreciate that its
'because you don't know what files are going to be run' which is fine, but
rather high level as an explanation. What specifically is .runandhide doing
for you that you can't achieve without it ?
Noote that we went through our own code examples removing the requirement
from our code, so we are not entirely unfamiliar with techniques to deal
with this.
Ken
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sun, 05 Nov 2017 18:25:01 GMT) Full text and rfc822 format available.Message #37 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: David Kastrup <dak <at> gnu.org> To: Ken Sharp <ken.sharp <at> artifex.com> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sun, 05 Nov 2017 19:24:30 +0100
Ken Sharp <ken.sharp <at> artifex.com> writes: > At 20:45 04/11/2017 +0100, David Kastrup wrote: > > >> > Also WRITESYSTEMDICT and other things. >> > >> > In any event, DELAYSAFER hasn't changed. >> >>It's pretty pointless unless one can use .runandhide to temporarily be >>safe. > > Make *what* safe ? .runandhide wasn't (directly) an aspect of SAFER or > DELAYSAFER, its perfectly possible to have, and write PostScript which > is not compatible with SAFER (and which therefore needs to be run > before SAFER) but which doesn't require ,runandhide. The problem is that we need _unsafe_ code to run _after_ SAFER. From the Ghostscript command line that gets back into control after .runandhide has interpreted an external file in SAFER mode . .runandhide was implemented for that use case: getting back into unsafe mode without this being possible for the code that is run under control of the unsafe environment. >>I repeat: the order of the files to be rendered is not known when >>Ghostscript is started: that depends on where the viewer is paging when >>Ghostscript has free capacities. >> This "render stuff currently on screen >>first" thing is pretty important for maintaining good interactivity. >>.runandhide is used for rendering one file safely, then get Ghostscript >>back into a state where it is possible to tell it via pipe to its >>command line what to do next. > > OK bear in mind I have yet to see a complete PostScript > transcript. All I've seen is fragments, buried inside other code. I can run a script teeing off the in- and output instead of running Ghostscript directly. You have to be aware that _any_ such log will _not_ demonstrate the need for getting back into unsafe mode since once you know all operations you want to do, you can do all unsafe operations first and no longer need to revert to unsafe. The point is that the user actions determine the next files to be rendered and thus determine the next unsafe operation (namely which file to open next). > I have not said 'we're not putting it back', I've said 'let's discuss > this'. If you can please explain why you can't refactor your > PostScript to do away with .runandhide then we'll certainly consider > this. Well, I keep explaining it without seeing any point being taken up. That makes it hard to guess where to invest work next with the hope for success. > However, all I'm getting (and this may well be my faulty understanding > from the limited code I've seen) is 'put it back, because we need it > and we can't change' You don't propose any way in which we could change in order to render different files outside of the Ghostscript directories in a non-prearranged order in safe mode. We do this from the command line since that is the basic interaction point for Ghostscript. Do you see any other manners to tell Ghostscript "please render _this_ file next, in SAFER mode, and then return for further (unsafe) instructions". We've been running around changes in Ghostscript's implementation and rules at least 5 times. If there was any way guaranteed to actually stay around, that would be quite the relief. > Now I'm prepared to believe that, but I'd like to see why that's > required, at the moment I don't see why it is. Maybe we can suggest > alternatives that will be satisfactory. So what do you actully need? > So please; send me a simple example of the PostScript that gets sent > to Ghostscript. If you can arrange for that to be annotated with > comments explaining what the code does that would be great, if not > then just the raw code. > > I do need to understand why you need .runandhide; what its doing for > you that you need to have, Being able to run in safer mode, and _yet_ _afterwards_ specify the next file to render outside of the Ghostscript accessible tree. That is all. > and can't achieve another way. Is there another way? > I appreciate that its 'because you don't know what files are going to > be run' which is fine, but rather high level as an explanation. What > specifically is .runandhide doing for you that you can't achieve > without it ? It puts "unsafe mode" outside of the access of the file running in SAFER mode while returning back into it. That's all. If you have to store the unsafe context anywhere where the file running in SAFER mode could access it, there is no actual safety. > Noote that we went through our own code examples removing the > requirement from our code, so we are not entirely unfamiliar with > techniques to deal with this. So how did you do that? -- David Kastrup
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sun, 05 Nov 2017 20:10:02 GMT) Full text and rfc822 format available.Message #40 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Ken Sharp <ken.sharp <at> artifex.com> To: David Kastrup <dak <at> gnu.org> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sun, 05 Nov 2017 20:09:34 +0000
At 19:24 05/11/2017 +0100, you wrote:
> > Make *what* safe ? .runandhide wasn't (directly) an aspect of SAFER or
> > DELAYSAFER, its perfectly possible to have, and write PostScript which
> > is not compatible with SAFER (and which therefore needs to be run
> > before SAFER) but which doesn't require ,runandhide.
>
>The problem is that we need _unsafe_ code to run _after_ SAFER. From
>the Ghostscript command line that gets back into control after
>.runandhide has interpreted an external file in SAFER mode .
You don't need .runandhide to execute 'unsafe' code, it has other side
effects. I'm trying to get to the bottom of which of those side-effects you
need, and why. Part of the problem is that I'm only seeing a tiny fraction
of the program and have no clue how the bit I have seen is actually used.
>I can run a script teeing off the in- and output instead of running
>Ghostscript directly. You have to be aware that _any_ such log will
>_not_ demonstrate the need for getting back into unsafe mode since once
>you know all operations you want to do, you can do all unsafe operations
>first and no longer need to revert to unsafe. The point is that the
>user actions determine the next files to be rendered and thus determine
>the next unsafe operation (namely which file to open next).
But I would very much like to see the sequence of operations, and more
importantly the whole PostScript program, or at least all the initial
program. Its terribly hard to make judgements based on a couple of program
fragments with no context to draw on.
> > I have not said 'we're not putting it back', I've said 'let's discuss
> > this'. If you can please explain why you can't refactor your
> > PostScript to do away with .runandhide then we'll certainly consider
> > this.
>
>Well, I keep explaining it without seeing any point being taken up.
Well I'm sorry, clearly I'm being obtuse. From my perspective you are
explaining that 'you need to run unsafe code' or 'you need it because you
need to execute in an arbitrary order'. OK I'm not arguing any of that, but
I don't see why you specifically need .runandhide in order to do so.
I need a more detailed explanation, why specifically do you need
.runandhide instead of say exec ?
>That makes it hard to guess where to invest work next with the hope for
>success.
Well, I've asked for a transcript of what gets sent to Ghostscript, that
would help. Even just the actual initial PostScript program would tell me
more than what I've seen so far.
>You don't propose any way in which we could change in order to render
>different files outside of the Ghostscript directories in a
>non-prearranged order in safe mode.
That's because I don't see what you are doing now. This is too high level
an explanation for me to see what it is you are actually doing.
>We've been running around changes in Ghostscript's implementation and
>rules at least 5 times.
Interesting, in what way has Ghostscript changed in the past that's caused
you problems ? Have you discussed this with anyone ? While I do see your
name in the archives, it appears to be mostly in discussion with me. Once
due to strokeadjust and PDF, and once with some other Lilypond stuff. I
haven't seen anything from AucTeX before. Of course, it could easily
predate my involvement.
Obviously if there are bugs in the PostScript implementation we have to fix
them, but that's comparatively rare I would have thought these days.
> If there was any way guaranteed to actually
>stay around, that would be quite the relief.
Well, first and most obvious would be not to use non-standard PostScript.
Obviously that's not an option, because the PostScript interpreter allows
arbitrary execution and traversal of the file system. So you need to use
-dSAFER if you aren't prepared to trust the PostScript files you are going
to run.
But you can't simply do that because (it seems to me) you want to run
Ghostscript 'interactively', except that you don't really mean
interactively, you really mean in something like a job server loop.
Interactively to me would mean would mean from the GS command prompt.
Now to me that would suggest that rather than launching Ghostscript and
leaving it lying around until you want to send it something, you launch it
once per PostScript program, and close it in between.
You don't want to do that, and I can accept that, but I still do not at
present understand the way you are using Ghostscript now. Nor do I
understand the absolute requirement for .runandhide.
I'm trying to understand, but at present I just don't get it.
> > Now I'm prepared to believe that, but I'd like to see why that's
> > required, at the moment I don't see why it is. Maybe we can suggest
> > alternatives that will be satisfactory.
>
>So what do you actully need?
Well, the actual PostScript program would give me context. If you can
explain why you specifically need .runandhide rather than simply running in
-dSAFER and using exec that would be good. Also why you need to launch
Ghostscript and leave it running, rather than launching it once for each
PostScript program, though that's rather less important (though possibly
easier to explain).
> > I do need to understand why you need .runandhide; what its doing for
> > you that you need to have,
>
>Being able to run in safer mode, and _yet_ _afterwards_ specify the next
>file to render outside of the Ghostscript accessible tree.
>
>That is all.
Yes but I still don't see why you need .runandhide to achieve this.
> > and can't achieve another way.
>
>Is there another way?
I don't know, because I don't know what it is you are doing now. Yes, I
know I'm a stuck record here, but I can't suggest an alternative (if such a
thing is even possible) without understanding how you are currently using
Ghopstscript. Just knowing what you want to achieve is not sufficient I
need to know how you are currently achieving it, and ideally, why.
>It puts "unsafe mode" outside of the access of the file running in SAFER
>mode while returning back into it. That's all. If you have to store
>the unsafe context anywhere where the file running in SAFER mode could
>access it, there is no actual safety.
And the unsafe context you are storing is what exactly ?
> > Noote that we went through our own code examples removing the
> > requirement from our code, so we are not entirely unfamiliar with
> > techniques to deal with this.
>
>So how did you do that?
Mostly by simply deleting it.
In passing, the reason we removed a lot of these operators was precisely
because of security concerns. We've recently had a number of reports which
revolved around non-standard operators being used in unforseen ways.
Usually these result in crashes but we've also seen denial of service,
directory and file traversal/retrieval and some cases where it was possible
to execute arbitrary code. Note that these have been true in some instances
even when -dSAFER is set.
Obviously those reported problems have been fixed, but it seemed reasonable
to reduce the attack surface by removing operators which are no longer
required, or not required after startup.
Now we fully expected to have to work with Ghostscript users afterwards,
we've had some customers and some free users discuss the changes with us.
So far we've been able to help them remove the requirements from their own
code but that doesn't mean we *won't* restore the operators if they are
genuinely needed. It does mean that we would like to talk about it and
understand the requirements properly first.
Given the rather acrimonious past history of our discussions, I think it
may be better if I hand this to a colleague. I'll speak to someone tomorrow
and see if they are willing to take it on.
Ken
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sun, 05 Nov 2017 20:53:02 GMT) Full text and rfc822 format available.Message #43 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: David Kastrup <dak <at> gnu.org> To: Ken Sharp <ken.sharp <at> artifex.com> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sun, 05 Nov 2017 21:52:29 +0100
Ken Sharp <ken.sharp <at> artifex.com> writes: > At 19:24 05/11/2017 +0100, you wrote: > > >> > Make *what* safe ? .runandhide wasn't (directly) an aspect of SAFER or >> > DELAYSAFER, its perfectly possible to have, and write PostScript which >> > is not compatible with SAFER (and which therefore needs to be run >> > before SAFER) but which doesn't require ,runandhide. >> >>The problem is that we need _unsafe_ code to run _after_ SAFER. From >>the Ghostscript command line that gets back into control after >>.runandhide has interpreted an external file in SAFER mode . > > You don't need .runandhide to execute 'unsafe' code, We use it to execute potentially unsafe code in a SAFER environment. But we need to get back to non-SAFER mode afterwards without the potentially unsafe code having a possibility to get into non-SAFER mode. >>I can run a script teeing off the in- and output instead of running >>Ghostscript directly. You have to be aware that _any_ such log will >>_not_ demonstrate the need for getting back into unsafe mode since >>once you know all operations you want to do, you can do all unsafe >>operations first and no longer need to revert to unsafe. The point is >>that the user actions determine the next files to be rendered and thus >>determine the next unsafe operation (namely which file to open next). > > But I would very much like to see the sequence of operations, and more > importantly the whole PostScript program, or at least all the initial > program. Its terribly hard to make judgements based on a couple of > program fragments with no context to draw on. Ok, will do tomorrow. >> > I have not said 'we're not putting it back', I've said 'let's discuss >> > this'. If you can please explain why you can't refactor your >> > PostScript to do away with .runandhide then we'll certainly consider >> > this. >> >>Well, I keep explaining it without seeing any point being taken up. > > Well I'm sorry, clearly I'm being obtuse. From my perspective you are > explaining that 'you need to run unsafe code' or 'you need it because > you need to execute in an arbitrary order'. OK I'm not arguing any of > that, but I don't see why you specifically need .runandhide in order > to do so. Because we want to execute potentially unsafe code not under our control in SAFER mode and afterwards get back into non-SAFER mode in order to things not allowed in SAFER mode. Repeatedly. > I need a more detailed explanation, why specifically do you need > .runandhide instead of say exec ? Because exec will either not run in SAFER mode or not get back into non-SAFER mode. >>That makes it hard to guess where to invest work next with the hope >>for success. > > Well, I've asked for a transcript of what gets sent to Ghostscript, > that would help. Even just the actual initial PostScript program would > tell me more than what I've seen so far. As I said, I will do. Though our conversation so far is not exactly leaving much hope for this to explain anything in a clearer manner than I already did. > Interesting, in what way has Ghostscript changed in the past that's > caused you problems ? Have you discussed this with anyone ? While I do > see your name in the archives, it appears to be mostly in discussion > with me. Once due to strokeadjust and PDF, and once with some other > Lilypond stuff. I haven't seen anything from AucTeX before. Of course, > it could easily predate my involvement. About half of the changes were done by me, the other half by Ralf Angeli. So far either of us had been able to find yet another workaround. But without anything like .runandhide left, I don't see what we could be doing next. > Obviously if there are bugs in the PostScript implementation we have > to fix them, but that's comparatively rare I would have thought these > days. Those were not exactly bugs but changes in semantics, usually about what was considered SAFER and what not. SAFER mode is not in PostScript, so one cannot really talk about "bugs" for that. More like inconveniences in the context of refining SAFER. A nuisance, but not of the break-of-promises kind. .runandhide is certainly not part of the PostScript standard, but it was a documented part of Ghostscript. >> If there was any way guaranteed to actually >>stay around, that would be quite the relief. > > Well, first and most obvious would be not to use non-standard > PostScript. > But you can't simply do that because (it seems to me) you want to run > Ghostscript 'interactively', except that you don't really mean > interactively, you really mean in something like a job server > loop. Interactively to me would mean would mean from the GS command > prompt. Sigh. As I stated several times already, we do run Ghostscript from the GS command prompt. We even wait for the prompt before feeding it its next command. > Now to me that would suggest that rather than launching Ghostscript > and leaving it lying around until you want to send it something, you > launch it once per PostScript program, and close it in between. No, we don't. We run it from the command prompt and don't close it in between. > You don't want to do that, and I can accept that, but I still do not > at present understand the way you are using Ghostscript now. From the command prompt. On a pseudo-tty or a pipe (not much of a difference to Emacs). That's why your transcript will be teed off from a script called instead of Ghostscript: if we didn't feed it via its input and interpreted its output, there would be nothing to tee off. > Nor do I understand the absolute requirement for .runandhide. How do you get temporarily into SAFER mode for executing a file without it? I keep asking this question. > Well, the actual PostScript program would give me context. If you can > explain why you specifically need .runandhide rather than simply > running in -dSAFER and using exec that would be good. If I can't get back out of -dSAFER mode I cannot at the end of processing of one file select a file in a preview-latex chosen place to execute next. That's what -dSAFER prohibits. > Also why you need to launch Ghostscript and leave it running, rather > than launching it once for each PostScript program, though that's > rather less important (though possibly easier to explain). A performance hit by a factor of 10 if not more. preview-latex creates an image for every mathematical entity in a document, easily several thousands of them, often just a few characters each. Having to start a fresh Ghostscript process for them that then has to read the fonts (which are rarely more than a few dozen per document) would be prohibitively expensive. Doing all this in a single Ghostscript process made preview-latex an actually useful tool rather than a toy. >>Being able to run in safer mode, and _yet_ _afterwards_ specify the next >>file to render outside of the Ghostscript accessible tree. >> >>That is all. > > Yes but I still don't see why you need .runandhide to achieve this. You haven't mentioned any alternative way of doing it. >>It puts "unsafe mode" outside of the access of the file running in SAFER >>mode while returning back into it. That's all. If you have to store >>the unsafe context anywhere where the file running in SAFER mode could >>access it, there is no actual safety. > > And the unsafe context you are storing is what exactly ? The object you get when executing "safe" before executing .setsafe. Calling restore on it reverts to non-safe mode, so we don't want it accessible to the potentially unsafe code executed in -dSAFER mode. I mean, that's the textbook and documented way of using .runandhide . It's not like we invented it. > Usually these result in crashes but we've also seen denial of service, > directory and file traversal/retrieval and some cases where it was > possible to execute arbitrary code. Note that these have been true in > some instances even when -dSAFER is set. Calling "safe" in unsafe mode will deliver an object useful for returning from -dSAFER _if_ code has access to that object. .runandhide was the documented way of hiding the object away from potentially unsafe code. -- David Kastrup
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sun, 05 Nov 2017 21:00:02 GMT) Full text and rfc822 format available.Message #46 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: David Kastrup <dak <at> gnu.org> To: Ken Sharp <ken.sharp <at> artifex.com> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sun, 05 Nov 2017 21:59:39 +0100
David Kastrup <dak <at> gnu.org> writes: > Ken Sharp <ken.sharp <at> artifex.com> writes: >> >> And the unsafe context you are storing is what exactly ? > > The object you get when executing "safe" before executing .setsafe. s/"safe"/"save"/ of course. > Calling restore on it reverts to non-safe mode, so we don't want it > accessible to the potentially unsafe code executed in -dSAFER mode. > > I mean, that's the textbook and documented way of using .runandhide . > It's not like we invented it. > >> Usually these result in crashes but we've also seen denial of service, >> directory and file traversal/retrieval and some cases where it was >> possible to execute arbitrary code. Note that these have been true in >> some instances even when -dSAFER is set. > > Calling "safe" "save" again. Sorry. > in unsafe mode will deliver an object useful for returning from > -dSAFER _if_ code has access to that object. .runandhide was the > documented way of hiding the object away from potentially unsafe code. >> Given the rather acrimonious past history of our discussions, I think >> it may be better if I hand this to a colleague. I'll speak to someone >> tomorrow and see if they are willing to take it on. I am not sure that having to start over explaining will lead to an improvement of my ability to communicate. Being better able to tell computers what I am talking about than humans is not exactly rewarding for me either, but when I am the main person responsible for affected code, there is not much of a way for me to pass the bucket. -- David Kastrup
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Mon, 06 Nov 2017 09:41:01 GMT) Full text and rfc822 format available.Message #49 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Ken Sharp <ken.sharp <at> artifex.com> To: David Kastrup <dak <at> gnu.org> Cc: Arash Esbati <arash <at> gnu.org>, 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Mon, 06 Nov 2017 09:40:25 +0000
At 21:59 05/11/2017 +0100, David Kastrup wrote:
> >> Given the rather acrimonious past history of our discussions, I think
> >> it may be better if I hand this to a colleague. I'll speak to someone
> >> tomorrow and see if they are willing to take it on.
>
>I am not sure that having to start over explaining will lead to an
>improvement of my ability to communicate.
I think it will, because frankly I'm not prepared to keep listening to what
I consider abuse. I feel I've tried to be reasonable here and up to now,
polite, and you still haven't supplied what I've asked for. I will admit
that on every email I learn a little more about what *exactly* you are
doing, but I'm tired of the drip feed of information, laced with snide
comments.
I don't need this level of stress, and I don't actually have to put up with it.
At this point my own inclination is simply to refuse to restore the
operator. However I can recognise that I may be being unreasonable,
potentially due to a simple clash of personalities. So, to try and act
professionally, rather than simply washing my hands and walking away, I'm
going to ask someone else to deal with it.
Perhaps there will be less of a conflict of personalities and you will be
able to work more easily with others. This also gives you an opportunity to
persuade someone else of the merits of your case, without prejudice from me.
I will, of course, forward on the previous emails and my understanding of
the situation so far.
[later]
After discussion, we've decided the best way forward is to repoen the bug
report and continue this in public, rather than by email. This would have
been my preferred option originally, and was what I suggested, because it
obviates the need to reprise the situation for the other developers. Well,
water under the bridge. I have added David Kastrup to the CC list on the
bug thread.
When you have a PostScript file, please attach it to the bug:
https://bugs.ghostscript.com/show_bug.cgi?id=698680
I have forwarded on the emails to date, verbatim, and described what I
understand of the method of operation and requirements, along with my own
suggestions. I won't take any further part in the discussion of the bug, to
avoid influence.
Please do not reply further to me on this subject, as I will simply delete
such email unread.
Ken
bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Tue, 07 Nov 2017 09:34:02 GMT) Full text and rfc822 format available.Message #52 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: David Kastrup <dak <at> gnu.org> To: Arash Esbati <arash <at> gnu.org> Cc: 28811 <at> debbugs.gnu.org, Ken Sharp <ken.sharp <at> artifex.com> Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Tue, 07 Nov 2017 10:32:50 +0100
Arash Esbati <arash <at> gnu.org> writes: > Ken Sharp <ken.sharp <at> artifex.com> writes: > >> The problem is that PostScript is a programming language, and the >> snippets above, intermingled with some other language, are a) >> difficult to read and b) shorn of context. Its hard for me to pick out >> just the PostScript from whatever the other language is and without >> knowing what the aim is its pretty much impossible to figure out what >> the PostScript is doing. > > Hi Ken, > > thanks for your response. I was afraid that the solution would not be > that easy by just replacing some PostScript-code in an Elisp-function > :-) > >> I don't suppose there's anyone still around who knows what the >> PostScript is supposed to do ? I really need to discuss this with >> someone who understands the intended purpose of that PostScript code. > > David K. is the principle author of preview-latex and he is still > around. I hope he can manage to find a solution with you, somehow. I've committed an (admittedly ugly) fix to AUCTeX master. Most of the work had actually already been done in previous commits, something which I had not properly remembered, so we did not actually use .runandhide in a security-relevant context any more. My participation in the discussion was based on remembering an earlier implementation we used, so the resulting controversy was disproportionate to the impact of the actually needed fix. While I cannot presume to understand the motivation of the Ghostscript developers in removing the documented operator intended to facilitate temporarily entering safe mode while interpreting externally provided files without working replacement (the jobserver functionality in the official PostScript standard has a known large security hole in Ghostscript's implementation and is not suggested in -dSAFER documentation for use anyway), the truth was that preview-latex already had stopped relying on the security-related aspects of .runandhide in a previous iteration of our code. So the comparatively simplistic fix I committed does not really come with security implications as we don't retain a way for leaving the -dSAFER sandbox once entering it. -- David Kastrup
mose <at> gnu.org (Mosè Giordano)
to control <at> debbugs.gnu.org.
(Fri, 10 Nov 2017 17:14:01 GMT) Full text and rfc822 format available.bug-auctex <at> gnu.org:bug#28811; Package auctex.
(Sat, 18 Nov 2017 23:17:01 GMT) Full text and rfc822 format available.Message #57 received at 28811 <at> debbugs.gnu.org (full text, mbox):
From: Arash Esbati <arash <at> gnu.org> To: David Kastrup <dak <at> gnu.org> Cc: 28811 <at> debbugs.gnu.org Subject: Re: bug#28811: 11.90.2.2017-07-25; preview-at-point Date: Sun, 19 Nov 2017 00:06:27 +0100
David Kastrup <dak <at> gnu.org> writes: > I've committed an (admittedly ugly) fix to AUCTeX master. Thanks for fixing this! I've also added a note to changes.texi that preview works with Ghostscript 9.22. Best, Arash
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Sun, 17 Dec 2017 12:24:03 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.