On Wed, 22 Aug 2018, Reginald Beardsley via openindiana-discuss wrote:
How do you mitigate it? Just not read PDFs? I can't find the policy.xml file referenced in the first link.
I think that Postscript (an arbitrary powerful language) is more dangerous than PDFs. Unfortunately, Postscript is inherent to Ghostscript and I would not be surprised if it used Postscript code internally to parse PDF.
Untrusted Postscript and EPS ("Encapsulated Postscript") is of concern. EPS is commonly included inside in other types of files so you might not be aware you are using it.
I will be looking again into whether utilities from the Poppler package can effectively be used to replace Ghostscript for use in GraphicsMagick when reading PDF inputs. It is not clear to me if Poppler is actually more secure though.
Take care about printer driver software which uses Ghostscript to render Postscript into bitmap images for submission to a non-Postscript printer.
Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss