oss-sec mailing list archives

Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default?

From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Thu, 23 Aug 2018 10:03:40 -0500 (CDT)

On Thu, 23 Aug 2018, Leonardo Taccari wrote:


(Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
`PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
that they ends up as:

Domain: Coder; rights=Read; pattern="PS" ...

...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)

This is likely due to header magic detection (e.g. "%!PS-Adobe"). Itis possible that a different path will be taken if the commonPostscript header is not detected. The file extension may then beused as a hint. Also, there are a wide varieties of ImageMagickversions in use, with a wide variety of behaviors.

The version of ImageMagick provided by the Ubuntu Linux I am using atthis moment dates from 2012!


Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Current thread:

Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default?, (continued)
- - - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Alex Gaynor (Aug 21)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 21)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? AmitB (Aug 22)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Bob Friesenhahn (Aug 22)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 22)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonardo Taccari (Aug 23)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Mateusz Lenik (Aug 23)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonardo Taccari (Aug 23)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Bob Friesenhahn (Aug 23)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonardo Taccari (Aug 23)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Bob Friesenhahn (Aug 23)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 27)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Perry E. Metzger (Aug 27)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Aug 28)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 29)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 29)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Sep 03)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 04)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 04)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Brandon Perry (Sep 04)
    - Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 04)

(Thread continues...)