lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 May 2010 22:44:20 -0500
From: Marsh Ray <>
To: Peter Besenbruch <>
Subject: Re: Multiple memory corruption vulnerabilities in

On 5/11/2010 8:30 PM, Peter Besenbruch wrote:
> On Tue, 11 May 2010 20:27:35 -0400
> Dan Rosenberg <> wrote:
>> ==Solution==
>> In the absence of a patch, users are encouraged to discontinue use of
>> Ghostscript or avoid processing untrusted PostScript files.

How are you supposed to trust a document before you read it?!
Judge it by it's cover perhaps?

> Ghostscript is an important part of most Linux systems out there. If
> you remove Ghostscript, you remove the ability to print in most cases.
> The advice to avoid opening unknown PS files is good.

Unless you're a printer.

> I wonder whether
> a similar flaw exists in Ghostscript's handling of PDF files.

Last I checked (a long long time ago), PDF wasn't a Turing-complete
programming language like Postscript, so it wouldn't allow recursion
needed for this flaw. Maybe that's why they couldn't resist adding
Javascript to it.

> If such
> an attack is possible with a PDF, the flaw is potentially much more
> serious.

Well, I need to read 'em both.

- Marsh

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists