Date: Thu, 23 Aug 2018 08:12:52 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com, Tavis Ormandy <taviso@...gle.com> Subject: Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? On 08/23/2018 06:24 AM, Tavis Ormandy wrote: > I think we should kill (or at least trim the mime types) > in /usr/share/thumbnailers/evince.thumbnailer. Note that this may or may not work, depending on whether the MIME type detection is identical between the selection of the evince and the selection of the Ghostscript backend in evince itself. I remember a case from several years ago where an ImageMagick bug was still exploitable via mail user agents even though the problematic image format was not listed in /etc/mailcap. ImageMagick did its own format detection back then, so all you had to do was to change the file extension. Thanks, Florian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.