[Esa-l]Adobe PDF files can be used as virus carriers (fwd)

Phil Pennock pdp at nl.demon.net
Tue Aug 7 18:21:35 PDT 2001 

On 2001-08-07 at 19:02 -0600, Brett Glass wrote:
> >man gs(1):
> >       -dSAFER

> Will it allow programs to be EXECUTED, though? On many OSes,
> one can execute anything one can read; that is, the permissions
> are not separate. And if the program is a script, read permission
> may be all that's necessary, because the script is really just
> "data" for the interpreter.

The point is that it's a known issue, which has had solutions out there
for many years.  For Unix, any client invoking gs on possibly bad data
(eg, most viewers) should be passing -dSAFER by default.

If you're using a different platform and/or different software,
investigate your documentation.  It's not new, it's not something which
any competent writers of PostScript-aware software should be bitten by.
Luckily Microsoft have never implemented PostScript software ....
*coughs*

If you're on an OS where read permissions allow execute, so what?  You
still need a way to tell the interpreter to actually perform the
execution.  If the interpreter has disabled that functionality, how do
the FS permissions matter?

> P.S. -- We don't use GhostScript, because it's one of the few products
> out there which has a license that's MORE onerous than the GPL. Viral...
> nasty... bleagh.

Off-topic.  But there's a difference between "use" and "want to derive
code from".  We have no intention of writing code to support a
proprietary document format, even if it has been cloned etc etc.

If you want to write code, either just _use_ gs as an external program
(you know, ye olde toolkit approach) or, if this doesn't help, then
you're not dealing with PostScript.

 (b) Activities other than copying, distribution and modification of the
     Program are not subject to this License and they are outside its
     scope.  Functional use (running) of the Program is not restricted,
     and any output produced through the use of the Program is subject
     to this license only if its contents constitute a work based on
     the Program (independent of having been made by running the
     Program).

What are you doing that you feel yourself restricted by this?
-- 
Phil Pennock                        <pdp at nl.demon.net> <Phil.Pennock at thus.net>
Demon Internet Nederland -- Network Operations Centre -- Systems Administrator
Libertes philosophica.
NL Sales: +31 20 422 20 00                          NL Support: 0800 33 6666 8

More information about the esd-l mailing list