I guess if you really wanted to get fancy you could setup postscript rendering as
service in a chrooted jail, so it doesn't really matter if anything runs as it will
not have access to the OS file system or services.
Ian
-----Original Message-----
From: "Kevin B. McCarty" <[EMAIL PROTECTED]>
To: Ian Douglas <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Cite for print-to-postscript exploit in Mozilla?
Date: Fri Jul 09 14:18:51 GMT 2004
>On 07/09/2004 04:02 PM, Ian Douglas wrote:
>> http://www.imc.org/ietf-822/old-archive1/msg01346.html
>>
>> Is probably what is being refered to...
>
>Thanks for the link! (Wow, foreshadowing of virus infections via email
>attachments...)
>
>But is there any way in which Mozilla's print-to-postscript is _less_
>safe than using gv to open up a random PostScript file found somewhere
>on the Internet? Or are the two equally insecure? If the latter, then
>does it make sense to turn off postscript printing without also removing
>gv and other PS viewers from Debian?
>
>I admit this last question is a bit rhetorical. My point is that, as
>sysadmin of a physics cluster running Debian/woody on which people
>frequently look at downloaded PS files anyway, I want to know whether it
>is really worth my time to upgrade Mozilla [currently running 1.4 from
>Adrian Bunk's backports], install Xprint from unstable, and go through
>the apparently non-trivial task of getting it to work well.
>
>By the way, is PDF also Turing-complete with the accompanying security
>issues?
>
>regards,
>
>--
>Kevin B. McCarty <[EMAIL PROTECTED]> Physics Department
>WWW: http://www.princeton.edu/~kmccarty/ Princeton University
>GPG public key ID: 4F83C751 Princeton, NJ 08544
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
