oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default?

From: Florian Weimer <fweimer () redhat com>
Date: Thu, 23 Aug 2018 08:12:52 +0200
On 08/23/2018 06:24 AM, Tavis Ormandy wrote:

I think we should kill (or at least trim the mime types)
in /usr/share/thumbnailers/evince.thumbnailer.
Note that this may or may not work, depending on whether the MIME type detection is identical between the selection of the evince and the selection of the Ghostscript backend in evince itself.
I remember a case from several years ago where an ImageMagick bug was still exploitable via mail user agents even though the problematic image format was not listed in /etc/mailcap. ImageMagick did its own format detection back then, so all you had to do was to change the file extension. 

Thanks,
Florian
Previous By Date Next
Previous By Thread Next

Current thread: