#StackBounty: #graphics #xetex #security Security of "includegraphics" with untrusted input

Bounty: 100

When using the includegraphics command from the graphicx package, are there any security implications when using images from someone whom you don’t trust, who may potentially be an adversary?

If you’re now wondering why anybody would do that, I don’t think this scenario is that far-fetched at all. I’d just like to be sure that, although I may take some images that I received via email and include them in my LaTeX documents, my computer is not in immediate danger of being hacked.

Of course, I know that there’s never 100% security, but this question is about what is likely to happen, or not to happen.

Other pieces of software that process images, such as ImageMagick, have had some serious vulnerabilities from time to time. So I’m wondering if that’s possible (or rather, likely) with LaTeX (XeLaTeX) as well.

If the images are just copied into the resulting PDF as they are, bit by bit, the risk is probably low. But if the images are processed in some way, e.g. when using the width, height, scale or angle options, the risk is probably much higher.

Edit: Generating two PDFs via XeLaTeX, one with a PNG image included and one without, I could see that 123.6% of the PNG file’s size is added to the PDF file’s size. So the bytes of the PNG are definitely not just written into the PDF as they are, however that might have worked.

Reading how images inside of PDF documents actually work [1] [2] [3] and trying to understand a tiny bit of what graphicx does [4], it seems that image data is at least decoded and then re-encoded for use in PDFs. So that’s what LaTeX probably does. That would mean there’s definitely a minor attack surface where vulnerabilities might occur, since LaTeX does not just forward the bytes from the image but touches and processes them.

On the other hand, it seems that altering the dimensions or rotating an image does not involve any real processing, but just some slightly different controls written to the PDF that change how the viewer later displays the image. I can support this assumption now after testing different combinations of the width, height and keepaspectratio options, all producing PDF files that vary in their file sizes by just 0 to 2 bytes, although the PNG file inserted is about 13 KB.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.