Re: Mozilla/Firefox "PostScript/default" security problems

2004-07-10 Thread Reid Priedhorsky 
On Sat, 10 Jul 2004 12:00:07 +0200, Dale Amon wrote:
>
> I'd like a black and white clarification of the impact 
> of the change so I know for certain whether to be
> incredibly pissed off at the packager or not:
> 
>   "If I were to dselect today, would I still
>be able to print to file a website page 
>as ps?" [Y/N] 

As far as I can tell, the answer to this is a big fat maybe. It depends on
whether Xprint works for you -- Xprint generates the same postscript
whether you print to a file or to a printer, so whether you can get this
far (and whether the postscript is okay) depends on whether you have the
magic touch on Xprint.

You have to try Xprint to see if it works for you.

IMO, you should be pissed at the package manager, for removing a print
path that works for many, whose replacement does not work for some,
with claimed reasons being that the old way doesn't work for everyone
(neither does the new one) and that it is insecure (which so far, no one
has shown any real evidence of).

Sure, I can roll my own package or grab the upstream, but I use Debian for
its fabulous package management. I don't want to mess with tracking
versions or rebuilding the deb regularly.

Reid


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Mozilla/Firefox "PostScript/default" security problems

2004-07-08 Thread Reid Priedhorsky 
Hello all,

I have just discovered that the old-style printing option
"PostScript/default" is gone from Firefox and probably Mozilla (I don't
use Mozilla). Apparently a major reason for this is that the PostScript
printing engine that was removed has security problems.

Does anyone have any solid references on these security problems?

Googling and searching the bug database only yielded a vague claim about a
remote exploit (bug #247585). I also asked over on debian-user and while
the flurry of replies showed that the removal decision was controversial
if not unpopular, no one gave any information on the security problems.
debian-devel has not turned up anything so far either.

Sorry for cross-posting so much. I did post on debian-devel before I knew
debian-security existed. I figured the audience here might follow security
things in more detail.

Thank you for your time,

Reid


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]