Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Aug 2018 10:03:40 -0500 (CDT)
From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us>
To: oss-security@...ts.openwall.com
Subject: Re: Re: More Ghostscript Issues: Should we disable
 PS coders in policy.xml by default?

On Thu, 23 Aug 2018, Leonardo Taccari wrote:
>
> (Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
> `PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
> that they ends up as:
>
> Domain: Coder; rights=Read; pattern="PS" ...
>
> ...so should be blocked by the workaround described in
> VU#332928. But please correct me if I'm wrong.)

This is likely due to header magic detection (e.g. "%!PS-Adobe").  It 
is possible that a different path will be taken if the common 
Postscript header is not detected.  The file extension may then be 
used as a hint.  Also, there are a wide varieties of ImageMagick 
versions in use, with a wide variety of behaviors.

The version of ImageMagick provided by the Ubuntu Linux I am using at 
this moment dates from 2012!

Bob
-- 
Bob Friesenhahn
bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.