Re: Cite for print-to-postscript exploit in Mozilla?

To: debian-user@lists.debian.org, debian-security@lists.debian.org
Subject: Re: Cite for print-to-postscript exploit in Mozilla?
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Fri, 9 Jul 2004 12:18:30 -0300
Message-id: <[🔎] 20040709151830.GB25316@khazad-dum.debian.net>
In-reply-to: <[🔎] 24941605.1089384515281.JavaMail.root@fedora.dssinc.ca>
References: <[🔎] 24941605.1089384515281.JavaMail.root@fedora.dssinc.ca>

On Fri, 09 Jul 2004, Ian Douglas wrote:
> I guess if you really wanted to get fancy you could setup postscript
> rendering as service in a chrooted jail, so it doesn't really matter if
> anything runs as it will not have access to the OS file system or
> services.

Doesn't just about anything that call ghostscript pass a -dSAFER to it
nowadays?   The only exploit you should get to do, then, would be reading
any readable file in the system... or making gs hog a lot of CPU/memory,
which is often its normal operational condition anyway ;-)

A chroot jail would be nice anyway, though :)

OTOH, maybe the postscript code in mozilla itself has a security hole.  But
the right thing to do would be to *fix* that instead, not to drop it.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Cite for print-to-postscript exploit in Mozilla?
  - From: Dale Amon <amon@vnl.com>

References:
- RE: Re: Cite for print-to-postscript exploit in Mozilla?
  - From: Ian Douglas <idouglas@dssinc.ca>

Prev by Date: RE: Re: Cite for print-to-postscript exploit in Mozilla?
Next by Date: Re: openoffice won't import eps postscript graphic
Previous by thread: RE: Re: Cite for print-to-postscript exploit in Mozilla?
Next by thread: Re: Cite for print-to-postscript exploit in Mozilla?
Index(es):
- Date
- Thread