Well caught.
I was only trying to find what could be the original claim ;-)
After reading what I found, I was thinking of an inclusion of a
postscript file or a user sending it to print through the browser, not
HTML rendered by the browser...
On Fri, 2004-07-09 at 12:44, Alan Shutko wrote:
> I
> On a related note, does anyone know if xpdf takes (or can be made to
> take) the same sort of precautions? After all, a PDF is basically just
> a PS file, so I imagine the same sorts of attack are possible.
PDF is PostScript with a lot of operators removed and
some added. Among those removed a
On Thursday 08 July 2004 7:18 pm, Reid Priedhorsky wrote:
> Googling and searching the bug database only yielded a vague claim about a
> remote exploit (bug #247585). I also asked over on debian-user and while
> the flurry of replies showed that the removal decision was controversial
> if not unpo
On Fri, Jul 09, 2004 at 05:00:30PM -0500, Reid Priedhorsky wrote:
> Mozilla and friends can generate PostScript directly, or they can depend
> on Xprint to do so. It is the latter which has been disabled. The former
> works well for some and poorly to not at all for others (myself included).
I be
On Fri, Jul 09, 2004 at 12:18:30PM -0300, Henrique de Moraes Holschuh wrote:
> OTOH, maybe the postscript code in mozilla itself has a security hole. But
> the right thing to do would be to *fix* that instead, not to drop it.
Question: are you saying that Mozilla based browsers
(eg Galeon) can no
Ian Douglas <[EMAIL PROTECTED]> writes:
> http://www.imc.org/ietf-822/old-archive1/msg01346.html
>
> Is probably what is being refered to...
But it's not clear that there's any way for a web page to inject
postscript into Mozilla's print-to-ps output. If there isn't, it's
just as safe as Xprint,
On Fri, 2004-07-09 at 10:55 -0400, Noah Meyerhans wrote:
> On Fri, Jul 09, 2004 at 10:53:01AM -0400, Robert Brockway wrote:
> > Are any hard stats available on how many Debian package upgrades have had
> > to be replaced because they broke something? I'm thinking the total number of
> > broken upd
[Snipping practically all of the cross-post distribution.]
Quoting Kevin B. McCarty ([EMAIL PROTECTED]):
> But is there any way in which Mozilla's print-to-postscript is _less_
> safe than using gv to open up a random PostScript file found somewhere
> on the Internet?
Thus the -dSAFER option, wh
On Fri, 09 Jul 2004, Ian Douglas wrote:
> I guess if you really wanted to get fancy you could setup postscript
> rendering as service in a chrooted jail, so it doesn't really matter if
> anything runs as it will not have access to the OS file system or
> services.
Doesn't just about anything that
On Fri, Jul 09, 2004 at 10:53:01AM -0400, Robert Brockway wrote:
> Are any hard stats available on how many Debian package upgrades have had
> to be replaced because they broke something? I'm thinking the total number of
> broken updates in 2.2 and 3.0 is 0 plus or minus 1 :)
It's definitely grea
Hi all. I think this is on-topic for the security list since all Stable
package updates I see are security related.
On Bugtraq the issue of patches breaking various parts of an OS has been
raised (under the thread "Microsoft and Security").
It has been noted by one participant that his company a
I guess if you really wanted to get fancy you could setup postscript rendering as
service in a chrooted jail, so it doesn't really matter if anything runs as it will
not have access to the OS file system or services.
Ian
-Original Message-
From: "Kevin B. McCarty" <[EMAIL PROTECTED]>
To
On 07/09/2004 04:02 PM, Ian Douglas wrote:
> http://www.imc.org/ietf-822/old-archive1/msg01346.html
>
> Is probably what is being refered to...
Thanks for the link! (Wow, foreshadowing of virus infections via email
attachments...)
But is there any way in which Mozilla's print-to-postscript is _
http://www.imc.org/ietf-822/old-archive1/msg01346.html
Is probably what is being refered to...
Ian
-Original Message-
From: "Kevin B. McCarty" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Cite for print-to-postscr
Hi,
I would like to know where you found the security advisory that you
cited in your email to Debian Bugs # 252362 and 247585. Inquiring minds
would like to know what sort of exploit can be produced by the
print-to-postscript option in Mozilla and Firefox (especially since it
is still enabled by
15 matches
Mail list logo
