RE: Re: Cite for print-to-postscript exploit in Mozilla?
I guess if you really wanted to get fancy you could setup postscript rendering as service in a chrooted jail, so it doesn't really matter if anything runs as it will not have access to the OS file system or services.
From: "Kevin B. McCarty" <email@example.com>
To: Ian Douglas <firstname.lastname@example.org>
CC: email@example.com, firstname.lastname@example.org,
Subject: Re: Cite for print-to-postscript exploit in Mozilla?
Date: Fri Jul 09 14:18:51 GMT 2004
>On 07/09/2004 04:02 PM, Ian Douglas wrote:
>> Is probably what is being refered to...
>Thanks for the link! (Wow, foreshadowing of virus infections via email
>But is there any way in which Mozilla's print-to-postscript is _less_
>safe than using gv to open up a random PostScript file found somewhere
>on the Internet? Or are the two equally insecure? If the latter, then
>does it make sense to turn off postscript printing without also removing
>gv and other PS viewers from Debian?
>I admit this last question is a bit rhetorical. My point is that, as
>sysadmin of a physics cluster running Debian/woody on which people
>frequently look at downloaded PS files anyway, I want to know whether it
>is really worth my time to upgrade Mozilla [currently running 1.4 from
>Adrian Bunk's backports], install Xprint from unstable, and go through
>the apparently non-trivial task of getting it to work well.
>By the way, is PDF also Turing-complete with the accompanying security
>Kevin B. McCarty <email@example.com> Physics Department
>WWW: http://www.princeton.edu/~kmccarty/ Princeton University
>GPG public key ID: 4F83C751 Princeton, NJ 08544
>To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org