Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f1f21888-b738-306f-a064-9c3fc6cc764b@redhat.com>
Date: Thu, 23 Aug 2018 08:12:52 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com, Tavis Ormandy <taviso@...gle.com>
Subject: Re: Re: More Ghostscript Issues: Should we disable PS
 coders in policy.xml by default?

On 08/23/2018 06:24 AM, Tavis Ormandy wrote:
> I think we should kill (or at least trim the mime types)
> in /usr/share/thumbnailers/evince.thumbnailer.

Note that this may or may not work, depending on whether the MIME type 
detection is identical between the selection of the evince and the 
selection of the Ghostscript backend in evince itself.

I remember a case from several years ago where an ImageMagick bug was 
still exploitable via mail user agents even though the problematic image 
format was not listed in /etc/mailcap.  ImageMagick did its own format 
detection back then, so all you had to do was to change the file extension.

Thanks,
Florian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.