[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mozilla/Firefox "PostScript/default" security problems



On Thursday 08 July 2004 7:18 pm, Reid Priedhorsky wrote:

> Googling and searching the bug database only yielded a vague claim about a
> remote exploit (bug #247585). I also asked over on debian-user and while
> the flurry of replies showed that the removal decision was controversial
> if not unpopular, no one gave any information on the security problems.
> debian-devel has not turned up anything so far either.

Best anyone on debian-user or in #debian up on freenode can tell me
the only one to notice the potential exploit (frankly I worry more about a
meteor hitting the pc) is the one who removed postscript and 
who closes wishlists asking it back with wont-fix. Upstream still prints
via postscript/default; for what it's worth.

As I understand it the potential is that postscript as nearly turing-complete
it can potentially run commands on your machine while printing 
L337 |-|4><0r Du|)3's web page. Like I said, not all that likely to actually
happen in real life.

But if anyone has more info I too would like to hear it.

If you want postscript back; simply grab the source deb and roll your own; 
just edit rules under the debian folder. Delete the '--with-xprint' and
'--disable-postscript' lines and do 'dpkg-buildpackage -rfakeroot'. However 
I did give the debs a version number of 99 to keep apt from updating them
until there is a new mozilla version from upstream.

-- 
How dare the government intervene to stifle innovation in the computer
industry! That's Microsoft's job, dammit!



Reply to: