lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 May 2010 22:44:20 -0500
From: Marsh Ray <marsh@...endedsubset.com>
To: Peter Besenbruch <prb@...a.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Multiple memory corruption vulnerabilities in
 Ghostscript

On 5/11/2010 8:30 PM, Peter Besenbruch wrote:
> On Tue, 11 May 2010 20:27:35 -0400
> Dan Rosenberg <dan.j.rosenberg@...il.com> wrote:
>
>> ==Solution==
>>
>> In the absence of a patch, users are encouraged to discontinue use of
>> Ghostscript or avoid processing untrusted PostScript files.

How are you supposed to trust a document before you read it?!
Judge it by it's cover perhaps?

> Ghostscript is an important part of most Linux systems out there. If
> you remove Ghostscript, you remove the ability to print in most cases.
>
> The advice to avoid opening unknown PS files is good.

Unless you're a printer.

> I wonder whether
> a similar flaw exists in Ghostscript's handling of PDF files.

Last I checked (a long long time ago), PDF wasn't a Turing-complete
programming language like Postscript, so it wouldn't allow recursion
needed for this flaw. Maybe that's why they couldn't resist adding
Javascript to it.

> If such
> an attack is possible with a PDF, the flaw is potentially much more
> serious.

Well, I need to read 'em both.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists