oss-sec mailing list archives
Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default?
From: "Perry E. Metzger" <perry () piermont com>
Date: Wed, 5 Sep 2018 15:01:28 -0400
On Wed, 5 Sep 2018 11:02:48 -0700 Tavis Ormandy <taviso () google com> wrote:
I would like to re-emphasize that while Ghostscript is very capable and mature software, I consider the -dSAFER sandbox to be a fragile security boundary and that we should consider deprecating (or minimizing the use of) untrusted postscript.
I haven't been following the bugs in depth (just noticing the continuous stream of them arriving), but is the issue security flaws in just -dSAFER or is it overall security bugs? If it's the former, given how few things actually need any of the features past what -dSAFER offers, perhaps compiling the code by default without any such capabilities would work well? You can't run what isn't there. Perry -- Perry E. Metzger perry () piermont com
Current thread:
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default?, (continued)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Perry E. Metzger (Aug 27)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Aug 28)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 29)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 29)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Sep 03)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 04)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 04)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Brandon Perry (Sep 04)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 04)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 05)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Perry E. Metzger (Sep 05)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Stuart Gathman (Sep 05)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Perry E. Metzger (Sep 05)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonid Isaev (Sep 06)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Jakub Wilk (Sep 06)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonid Isaev (Sep 06)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 09)
- Message not available
- Re: Ghostscript 9.24 issues Tavis Ormandy (Sep 09)
- Re: Re: Ghostscript 9.24 issues Marcus Meissner (Sep 10)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Sep 06)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 22)