lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4BEA2414.6080305@extendedsubset.com> Date: Tue, 11 May 2010 22:44:20 -0500 From: Marsh Ray <marsh@...endedsubset.com> To: Peter Besenbruch <prb@...a.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Multiple memory corruption vulnerabilities in Ghostscript On 5/11/2010 8:30 PM, Peter Besenbruch wrote: > On Tue, 11 May 2010 20:27:35 -0400 > Dan Rosenberg <dan.j.rosenberg@...il.com> wrote: > >> ==Solution== >> >> In the absence of a patch, users are encouraged to discontinue use of >> Ghostscript or avoid processing untrusted PostScript files. How are you supposed to trust a document before you read it?! Judge it by it's cover perhaps? > Ghostscript is an important part of most Linux systems out there. If > you remove Ghostscript, you remove the ability to print in most cases. > > The advice to avoid opening unknown PS files is good. Unless you're a printer. > I wonder whether > a similar flaw exists in Ghostscript's handling of PDF files. Last I checked (a long long time ago), PDF wasn't a Turing-complete programming language like Postscript, so it wouldn't allow recursion needed for this flaw. Maybe that's why they couldn't resist adding Javascript to it. > If such > an attack is possible with a PDF, the flaw is potentially much more > serious. Well, I need to read 'em both. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists