oss-sec mailing list archives
Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default?
From: Leonardo Taccari <iamleot () gmail com>
Date: Thu, 23 Aug 2018 14:44:40 +0200
Hello Mateusz, Mateusz Lenik writes:
[...] It seems to be possible to disable GhostScript in ImageMagick completely by the policy rule below. It's not possible to miss any format with it. <policy domain="delegate" rights="none" pattern="gs" /> [...]
Please note that this will work *only* when ImageMagick is built with `--without-gslib'. In that case ImageMagick is not linked against gslib and ghostscript is directly invoked via `gs' or similar. If ImageMagick was built `--with-gslib' then no `gs' is invoked and there is no delegation, so the problems described by Tavis can be reproduced with that delegate policy rule as well. It is probably safer to follow the workaround described in: <https://www.kb.cert.org/vuls/id/332928>
Current thread:
- More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 21)
- Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 21)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Bob Friesenhahn (Aug 21)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Alex Gaynor (Aug 21)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 21)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? AmitB (Aug 22)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Bob Friesenhahn (Aug 22)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 22)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonardo Taccari (Aug 23)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Mateusz Lenik (Aug 23)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonardo Taccari (Aug 23)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Bob Friesenhahn (Aug 23)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonardo Taccari (Aug 23)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Bob Friesenhahn (Aug 23)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 27)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Perry E. Metzger (Aug 27)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Aug 28)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 29)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 29)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Sep 03)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 04)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Bob Friesenhahn (Aug 21)
- Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 21)