[OpenIndiana-discuss] ghostscript / ImageMagick security problems
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Wed Aug 22 20:39:36 UTC 2018
On Wed, 22 Aug 2018, Reginald Beardsley via openindiana-discuss wrote:
> How do you mitigate it? Just not read PDFs? I can't find the policy.xml file referenced in the first link.
I think that Postscript (an arbitrary powerful language) is more
dangerous than PDFs. Unfortunately, Postscript is inherent to
Ghostscript and I would not be surprised if it used Postscript code
internally to parse PDF.
Untrusted Postscript and EPS ("Encapsulated Postscript") is of
concern. EPS is commonly included inside in other types of files so
you might not be aware you are using it.
I will be looking again into whether utilities from the Poppler
package can effectively be used to replace Ghostscript for use in
GraphicsMagick when reading PDF inputs. It is not clear to me if
Poppler is actually more secure though.
Take care about printer driver software which uses Ghostscript to
render Postscript into bitmap images for submission to a
non-Postscript printer.
Bob
--
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
More information about the openindiana-discuss
mailing list