Re: [groff] Fonts, PDF images, groff vs. heirloom troff

2019-01-23 Thread Pierre-Jean Fichet
aksr wrote: > On Tue, Jan 22, 2019 at 08:27:08AM +0100, Pierre-Jean Fichet wrote: > > Neatroff do both of these. It suports OpenType fonts, but does not offer > > as much control as Heirloom Troff does. > Are you sure about that? Heirloom troff is able to set ligatures with .flig and .fdeferlig,

Re: [groff] [vinc...@vinc17.net: Bug#920269: groff: gropdf can execute arbitrary commands]

2019-01-23 Thread Vincent Lefevre
On 2019-01-23 13:56:04 +, Colin Watson wrote: > I'm not quite sure of the circumstances in which an attacker (presumably > the author of a document you've received) might be able to control the > arguments to gropdf; but regardless, this does seem to be undesirable > command-line handling and I

Re: [groff] Bug#920269: Bug#920269: [vinc...@vinc17.net: Bug#920269: groff: gropdf can execute arbitrary commands]

2019-01-23 Thread Colin Watson
On Wed, Jan 23, 2019 at 03:02:26PM +, Ralph Corderoy wrote: > Hi Colin, > > > So this option would also lose support for Debian 8 (currently > > oldstable). > > Also, `<<>>' doesn't support `-' to mean stdin. > That might affect users of the groff Perl scripts that use `<>'. Ah, yes - in tha

Re: [groff] [vinc...@vinc17.net: Bug#920269: groff: gropdf can execute arbitrary commands]

2019-01-23 Thread Jakub Wilk
* Colin Watson , 2019-01-23, 13:56: Perl >= 5.20 has the safer <<>> operator, It was actually added only in Perl 5.22. perl5220delta man page says: New double‐diamond operator "<<>>" is like "<>" but uses three‐argument "open" to open each file in @ARGV. This means that each element of @ARG

Re: [groff] Bug#920269: [vinc...@vinc17.net: Bug#920269: groff: gropdf can execute arbitrary commands]

2019-01-23 Thread Ralph Corderoy
Hi Colin, > So this option would also lose support for Debian 8 (currently > oldstable). Also, `<<>>' doesn't support `-' to mean stdin. That might affect users of the groff Perl scripts that use `<>'. $ pacman -Q perl perl 5.28.1-1 $ $ perl -e 'while ( <> ) {}' - >) {}' -

Re: [groff] Bug#920269: [vinc...@vinc17.net: Bug#920269: groff: gropdf can execute arbitrary commands]

2019-01-23 Thread Colin Watson
On Wed, Jan 23, 2019 at 03:21:53PM +0100, Jakub Wilk wrote: > * Colin Watson , 2019-01-23, 13:56: > > Perl >= 5.20 has the safer <<>> operator, > > It was actually added only in Perl 5.22. Sorry, indeed so - I grepped the perl*delta man pages for it but misread "5220" as "5200". So this option w

[groff] [vinc...@vinc17.net: Bug#920269: groff: gropdf can execute arbitrary commands]

2019-01-23 Thread Colin Watson
Hi, I'm not quite sure of the circumstances in which an attacker (presumably the author of a document you've received) might be able to control the arguments to gropdf; but regardless, this does seem to be undesirable command-line handling and I think we should fix it. $ find -name \*.pl | xarg