[tex-live] ConTeXt in TL on Windows broken

Mojca Miklavec mojca.miklavec.lists at gmail.com
Wed Jun 2 12:44:54 CEST 2010


On Tue, Jun 1, 2010 at 21:18, T T wrote:
> On 1 June 2010 17:49, Mojca Miklavec wrote:
>> On Tue, Jun 1, 2010 at 18:30, T T wrote:
>
> I didn't thought that this "%PATH" was meant literally.  In that case
> there is something really wrong with the installer.

Yes, it was meant literally. But I have never said that TL installer
has set that path :) :) :)

(There is some weird thing going on that I still don't understand, but
is not related to TL. When I open a new cmd, it sometimes holds TL
binaries in PATH and sometimes not, so I sometimes have to set the
path manually. But I won't spend any time trying to figure out why
that happens since it might be any component of software that's
interfering. I'm using a virtual machine with single windows and some
imitation of start menu.)

>> You don't need to understand.
>
> Well, since making sure that things run smoothly on windows is a big
> part of what I (try to) do in this project, I would like to understand
> in case I got something wrong.

You can try to set the path literally to the same value as mine if you
want to test why binary search is failing. But there is nothing wrong
with installer.

>> Vyatcheslav had the same problem - his windows installer is
>
> By "his windows installer" you mean install-tl, right?

No, I mean this one:
    http://minimals.contextgarden.net/setup/context-installer/
(but I need to check why the date of file is so old.)

> Consider the following scenario: you get a zipped document with a
> rogue texlua.exe binary in it.  This binary has hidden atribute set
> and therefore it won't even show up on the majority of windows systems
> (by default hidden files are not shown).  With default search order
> for binaries it is now enough to process this document to execute the
> rogue program and gain full control.  Moreover, the attack is stealthy
> - the user might never know about it.

I'm not sure about the current state of luatex, but last time we tried
it was no problem to put a statement
    os.execute('rm -rf something')
inside a TeX document. And Reinhard might also be right about
security. In my view it is OK to first search in path and then in
current directory, but searching in current directory at all and in
"path that is a bit wrong, but still works for windows" might still
make sense.

I'll test Taco's update.

Mojca



More information about the tex-live mailing list