[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mozilla/Firefox "PostScript/default" security problems

* Don Armstrong:

> Perhaps I've missed something, but everything that I've read in the
> threads so far amounts to people either assuming that there's an issue
> and not defining it, or attempting to figure out where the issue is.

This summary is correct as far as I can see.  No real security issue
has been disclosed so far.

Two things could lead to vulnerabilities:

  * It's possible to use scripting to set another print command.

  * Untrusted content might be put verbatim into the Postscript file.

The latter case shouldn't be a problem because viewers and print
spoolers should not assume benign Postscript files (if they do, it's
their fault, not Mozilla's).

If the first issue is a problem, printing to a pipe should be
disabled, but not printing to a file (or printing should be made

I find these rumors quite disturbing.  Some people are trying very
hard to put Mozilla's security efforts in a very bad shape.  First the
shell: protocol handler issue (on Windows) that has been known (in
principle) since 2002, and now this mess.

Reply to: