[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Re: Cite for print-to-postscript exploit in Mozilla?

I guess if you really wanted to get fancy you could setup postscript rendering as service in a chrooted jail, so it doesn't really matter if anything runs as it will not have access to the OS file system or services.


-----Original Message-----
From: "Kevin B. McCarty" <kmccarty@princeton.edu>
To: Ian Douglas <idouglas@dssinc.ca>
CC: rebeccagreenwald@yahoo.co.uk, debian-user@lists.debian.org, 
	debian-security@lists.debian.org, 247585@bugs.debian.org
Subject: Re: Cite for print-to-postscript exploit in Mozilla?
Date: Fri Jul 09 14:18:51 GMT 2004

>On 07/09/2004 04:02 PM, Ian Douglas wrote:
>> http://www.imc.org/ietf-822/old-archive1/msg01346.html
>> Is probably what is being refered to...
>Thanks for the link!  (Wow, foreshadowing of virus infections via email
>But is there any way in which Mozilla's print-to-postscript is _less_
>safe than using gv to open up a random PostScript file found somewhere
>on the Internet?  Or are the two equally insecure?  If the latter, then
>does it make sense to turn off postscript printing without also removing
>gv and other PS viewers from Debian?
>I admit this last question is a bit rhetorical.  My point is that, as
>sysadmin of a physics cluster running Debian/woody on which people
>frequently look at downloaded PS files anyway, I want to know whether it
>is really worth my time to upgrade Mozilla [currently running 1.4 from
>Adrian Bunk's backports], install Xprint from unstable, and go through
>the apparently non-trivial task of getting it to work well.
>By the way, is PDF also Turing-complete with the accompanying security
>Kevin B. McCarty <kmccarty@princeton.edu>   Physics Department
>WWW: http://www.princeton.edu/~kmccarty/    Princeton University
>GPG public key ID: 4F83C751                 Princeton, NJ 08544
>To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: