Re: Mozilla/Firefox "PostScript/default" security problems

To: debian-security@lists.debian.org
Cc: debian-devel@lists.debian.org, debian-user@lists.debian.org
Subject: Re: Mozilla/Firefox "PostScript/default" security problems
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 10 Jul 2004 22:20:31 +0200
Message-id: <[🔎] 87oemnzka8.fsf@deneb.enyo.de>
In-reply-to: <[🔎] 20040710195508.GD2320@xieana.donarmstrong.com> (Don Armstrong's message of "Sat, 10 Jul 2004 12:55:08 -0700")
References: <[🔎] pan.2004.07.09.00.18.08.303675@reidster.net> <[🔎] 200407091838.49554.bmsims1@insightbb.com> <[🔎] 20040710094708.GI24321@vnl.com> <[🔎] 20040710104718.GD3930@chello.nl> <[🔎] 1089472742.8346.7.camel@duke.gregfolkert.net> <[🔎] 20040710152605.05a8d8bc.mba2000@ioplex.com> <[🔎] 20040710195508.GD2320@xieana.donarmstrong.com>

* Don Armstrong:

> Perhaps I've missed something, but everything that I've read in the
> threads so far amounts to people either assuming that there's an issue
> and not defining it, or attempting to figure out where the issue is.

This summary is correct as far as I can see.  No real security issue
has been disclosed so far.

Two things could lead to vulnerabilities:

  * It's possible to use scripting to set another print command.

  * Untrusted content might be put verbatim into the Postscript file.

The latter case shouldn't be a problem because viewers and print
spoolers should not assume benign Postscript files (if they do, it's
their fault, not Mozilla's).

If the first issue is a problem, printing to a pipe should be
disabled, but not printing to a file (or printing should be made
unscriptable).

I find these rumors quite disturbing.  Some people are trying very
hard to put Mozilla's security efforts in a very bad shape.  First the
shell: protocol handler issue (on Windows) that has been known (in
principle) since 2002, and now this mess.

Reply to:

Follow-Ups:
- Re: Mozilla/Firefox "PostScript/default" security problems
  - From: Carl Fink <carlf@fink.to>

References:
- Mozilla/Firefox "PostScript/default" security problems
  - From: Reid Priedhorsky <reid@reidster.net>
- Re: Mozilla/Firefox "PostScript/default" security problems
  - From: Brad Sims <bmsims1@insightbb.com>
- Re: Mozilla/Firefox "PostScript/default" security problems
  - From: Dale Amon <amon@vnl.com>
- Re: Mozilla/Firefox "PostScript/default" security problems
  - From: Magnus Therning <magnus@therning.org>
- Re: Mozilla/Firefox "PostScript/default" security problems
  - From: Greg Folkert <greg@gregfolkert.net>
- Re: Mozilla/Firefox "PostScript/default" security problems
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Mozilla/Firefox "PostScript/default" security problems
  - From: Don Armstrong <don@donarmstrong.com>

Prev by Date: Re: Mozilla/Firefox "PostScript/default" security problems
Next by Date: Re: Mozilla/Firefox "PostScript/default" security problems
Previous by thread: Re: Mozilla/Firefox "PostScript/default" security problems
Next by thread: Re: Mozilla/Firefox "PostScript/default" security problems
Index(es):
- Date
- Thread