oss-sec mailing list archives
Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961)
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 9 Oct 2018 22:10:50 +0200
Hi, On Tue, 9 Oct 2018 09:30:06 -0600 Leonid Isaev <leonid.isaev () jila colorado edu> wrote:
Which means any postscript file downloaded from the internet... Then how should people read arXiv.org, for example?
Surprised by this claim I did a quick check on arxiv. I don't see any papers that are only available as postscript. All papers seem to be available as PDF, some additionally as PS. Which also makes sense: Many browsers support direct PDF display. While PDF is also a complex format with pitfalls I'd still trust the in-browser PDF readers much more than something like ghostscript. If there are sites that rely on PS documents they should probably be encouraged to do a server-side sandboxed auto-conversion of them and offer PDF also. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961), (continued)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Bob Friesenhahn (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Alex Gaynor (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Doran Moppert (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Rich Felker (Oct 16)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 17)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Rich Felker (Oct 17)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Eddie Chapman (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Emilio Pozuelo Monfort (Oct 11)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Brandon Perry (Oct 10)