| Florian Weimer 2004-07-10, 5:54 pm |
| * Don Armstrong:
> Perhaps I've missed something, but everything that I've read in the
> threads so far amounts to people either assuming that there's an issue
> and not defining it, or attempting to figure out where the issue is.
This summary is correct as far as I can see. No real security issue
has been disclosed so far.
Two things could lead to vulnerabilities:
* It's possible to use scripting to set another print command.
* Untrusted content might be put verbatim into the Postscript file.
The latter case shouldn't be a problem because viewers and print
spoolers should not assume benign Postscript files (if they do, it's
their fault, not Mozilla's).
If the first issue is a problem, printing to a pipe should be
disabled, but not printing to a file (or printing should be made
unscriptable).
I find these rumors quite disturbing. Some people are trying very
hard to put Mozilla's security efforts in a very bad shape. First the
shell: protocol handler issue (on Windows) that has been known (in
principle) since 2002, and now this mess.
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|