Date: Thu, 23 Aug 2018 10:03:40 -0500 (CDT) From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us> To: oss-security@...ts.openwall.com Subject: Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? On Thu, 23 Aug 2018, Leonardo Taccari wrote: > > (Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or > `PS3:' prefixes according `convert -debug Policy -log "%e"' it seems > that they ends up as: > > Domain: Coder; rights=Read; pattern="PS" ... > > ...so should be blocked by the workaround described in > VU#332928. But please correct me if I'm wrong.) This is likely due to header magic detection (e.g. "%!PS-Adobe"). It is possible that a different path will be taken if the common Postscript header is not detected. The file extension may then be used as a hint. Also, there are a wide varieties of ImageMagick versions in use, with a wide variety of behaviors. The version of ImageMagick provided by the Ubuntu Linux I am using at this moment dates from 2012! Bob -- Bob Friesenhahn bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.