Re: Mozilla/Firefox "PostScript/default" security problems

[Reid Priedhorsky]

On Sat, 10 Jul 2004 12:00:07 +0200, Dale Amon wrote:
>
> I'd like a black and white clarification of the impact 
> of the change so I know for certain whether to be
> incredibly pissed off at the packager or not:
> 
>   "If I were to dselect today, would I still
>be able to print to file a website page 
>as ps?" [Y/N] 

As far as I can tell, the answer to this is a big fat maybe. It depends on
whether Xprint works for you -- Xprint generates the same postscript
whether you print to a file or to a printer, so whether you can get this
far (and whether the postscript is okay) depends on whether you have the
magic touch on Xprint.

You have to try Xprint to see if it works for you.

IMO, you should be pissed at the package manager, for removing a print
path that works for many, whose replacement does not work for some,
with claimed reasons being that the old way doesn't work for everyone
(neither does the new one) and that it is insecure (which so far, no one
has shown any real evidence of).

Sure, I can roll my own package or grab the upstream, but I use Debian for
its fabulous package management. I don't want to mess with tracking
versions or rebuilding the deb regularly.

Reid


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mozilla/Firefox "PostScript/default" security problems

[Carl Fink]

Has anyone invited our Mozilla packager to participate in this
discussion?
-- 
Carl Fink [EMAIL PROTECTED]
Jabootu's Minister of Proofreading
http://www.jabootu.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mozilla/Firefox "PostScript/default" security problems

[Florian Weimer]

* Don Armstrong:

> Perhaps I've missed something, but everything that I've read in the
> threads so far amounts to people either assuming that there's an issue
> and not defining it, or attempting to figure out where the issue is.

This summary is correct as far as I can see.  No real security issue
has been disclosed so far.

Two things could lead to vulnerabilities:

  * It's possible to use scripting to set another print command.

  * Untrusted content might be put verbatim into the Postscript file.

The latter case shouldn't be a problem because viewers and print
spoolers should not assume benign Postscript files (if they do, it's
their fault, not Mozilla's).

If the first issue is a problem, printing to a pipe should be
disabled, but not printing to a file (or printing should be made
unscriptable).

I find these rumors quite disturbing.  Some people are trying very
hard to put Mozilla's security efforts in a very bad shape.  First the
shell: protocol handler issue (on Windows) that has been known (in
principle) since 2002, and now this mess.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mozilla/Firefox "PostScript/default" security problems

[Don Armstrong]

On Sat, 10 Jul 2004, Michael B Allen wrote:
> My impression was that the PostScript generator had the security
> issue

Can someone please state, for the record, definitively and precisely
what this "security issue" is?

The fact that PS is a turing complete language isn't a security issue,
beyond the fact that you shouldn't blindly execute untrusted PS. (Just
like you shouldn't blindly execute make files, or C code, or perl
scripts...)

Perhaps I've missed something, but everything that I've read in the
threads so far amounts to people either assuming that there's an issue
and not defining it, or attempting to figure out where the issue is.


Don Armstrong

-- 
Personally, I think my choice in the mostest-superlative-computer wars
has to be the HP-48 series of calculators.  They'll run almost
anything.  And if they can't, while I'll just plug a Linux box into
the serial port and load up the HP-48 VT-100 emulator.
 -- Jeff Dege, [EMAIL PROTECTED]

http://www.donarmstrong.com
http://rzlab.ucr.edu


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mozilla/Firefox "PostScript/default" security problems

[Michael B Allen]

On Sat, 10 Jul 2004 11:19:03 -0400
Greg Folkert <[EMAIL PROTECTED]> wrote:

> Excuse the cross posting, but many are "discussing" on all of these
> lists.
> 
> On Sat, 2004-07-10 at 06:47, Magnus Therning wrote:
> > >
> > >   "If I were to dselect today, would I still
> > >be able to print to file a website page 
> > >as ps?" [Y/N] 
> > 
> > Yes. Printing PS to a file is still possible.
> > 
> > What is removed is the ability to have Mozilla/Firefox execute an
> > external command (e.g. lpr) in order to print.
> 
> H. Now since printing to a file is fine. (DING, light goes on.)

I'd double check that. My impression was that the PostScript generator had
the security issue in which case removing the ability to execute an external
command would be pointless. The previous poster may have been using Xprint
which would allow the user to print to file but not using the PostScript
generator. I don't know for certain but you might want to check.

Mike

-- 
Greedo shoots first? Not in my Star Wars.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mozilla/Firefox "PostScript/default" security problems

[Brad Sims]

On Saturday 10 July 2004 5:47 am, Magnus Therning wrote:
> >I'd like a black and white clarification of the impact 
> >of the change so I know for certain whether to be
> >incredibly pissed off at the packager or not:
> >
> >   "If I were to dselect today, would I still
> >    be able to print to file a website page 
> >    as ps?" [Y/N] 
> 
> Yes. Printing PS to a file is still possible.
> 
> What is removed is the ability to have Mozilla/Firefox execute an
> external command (e.g. lpr) in order to print.

However, if you are one of the many people for whom xprint either won't
start or function properly you will be unable to print at all. 

Read this bugreport and see if Xprint is still such a great idea...


If xprint won't start, mozilla will not even open the print dialog to
even /try/ piping it to lpr. That is absolute fact, I tried it myself. No go.

See the other buglistings:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=xprt-common

Now correct me if this is wrong, mozilla is Free Software; however due
to the fact that it now actually requires xprint, which appears to be 
Non-Free software misfiled as Free Software (see #250887). Isn't that a
pretty major violation of Debian Policy?

Now I realize that Mozilla merely "suggests" xprint; however it now won't
print without it. I dunno about you; but I get a bad taste in my mouth about
such legalistic reindeer games to avoid conflicting with Deb-Policy. 

-- 
It's politically correct to hate guns; it's not politically correct
to hate free speech. The results speak for themselves.
-- Jay Maynard in the SDM

Re: Mozilla/Firefox "PostScript/default" security problems

[Greg Folkert]

Excuse the cross posting, but many are "discussing" on all of these
lists.

On Sat, 2004-07-10 at 06:47, Magnus Therning wrote:
> >
> > "If I were to dselect today, would I still
> >  be able to print to file a website page 
> >  as ps?" [Y/N] 
> 
> Yes. Printing PS to a file is still possible.
> 
> What is removed is the ability to have Mozilla/Firefox execute an
> external command (e.g. lpr) in order to print.

H. Now since printing to a file is fine. (DING, light goes on.)

What say we make a PIPE and attach it to something. Oh like say a print
queue process, a redirect or something similar. That would allow us to
use nearly anything we wanted to.

Seems possible it'd be a simple process, given you could know what you
are doing. Even for Epiphany or Galeon. Heck, we could even have  do the work.
-- 
greg, [EMAIL PROTECTED]

The technology that is
Stronger, better, faster:  Linux


signature.asc
Description: This is a digitally signed message part

Re: Mozilla/Firefox "PostScript/default" security problems

[Dale Amon]

On Sat, Jul 10, 2004 at 12:47:18PM +0200, Magnus Therning wrote:
> Yes. Printing PS to a file is still possible.

Thanks. I had visions of all sorts of extra work in
order to just stand still. Now I can forget about this
and go back to writing my mail address verify 
daemon...

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mozilla/Firefox "PostScript/default" security problems

[Magnus Therning]

On Sat, Jul 10, 2004 at 10:47:08AM +0100, Dale Amon wrote:
>On Fri, Jul 09, 2004 at 06:38:49PM -0500, Brad Sims wrote:
>> If you want postscript back; simply grab the source deb and roll your own; 
>> just edit rules under the debian folder. Delete the '--with-xprint' and
>> '--disable-postscript' lines and do 'dpkg-buildpackage -rfakeroot'. However 
>> I did give the debs a version number of 99 to keep apt from updating them
>> until there is a new mozilla version from upstream.
>
>I'd like a black and white clarification of the impact 
>of the change so I know for certain whether to be
>incredibly pissed off at the packager or not:
>
>   "If I were to dselect today, would I still
>be able to print to file a website page 
>as ps?" [Y/N] 

Yes. Printing PS to a file is still possible.

What is removed is the ability to have Mozilla/Firefox execute an
external command (e.g. lpr) in order to print.

>I do this as a matter of course, every single day
>to archive data important to projects I work on. I
>don't have time to rebuild mozilla myself all the time,
>so if the answer to this is that I cannot... I have
>four choices in descending order of desirability:
>
>   * find someone else with a repository that
> overrides it.
>
>   * freeze forever / manually update selected
> packages.
>
>   * abandon Debian mozilla
>
>   * abandon Debian
>
>If it is true that someone out there is playing with 
>things important to my means of making a living, I do 
>not appreciate it in the least.
>
>-- 
>--
>   Dale Amon [EMAIL PROTECTED]+44-7802-188325
>   International linux systems consultancy
> Hardware & software system design, security
>and networking, systems programming and Admin
> "Have Laptop, Will Travel"
>--
>
>
>-- 
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>

-- 
Magnus Therning(OpenPGP: 0xAB4DFBA4)
[EMAIL PROTECTED]
http://magnus.therning.org/

The real problem we face with the web is not understanding the anomalies,
it's facing how deeply weird the ordinary is.
-- David Weinberger


signature.asc
Description: Digital signature

Re: Mozilla/Firefox "PostScript/default" security problems

[Dale Amon]

On Fri, Jul 09, 2004 at 06:38:49PM -0500, Brad Sims wrote:
> If you want postscript back; simply grab the source deb and roll your own; 
> just edit rules under the debian folder. Delete the '--with-xprint' and
> '--disable-postscript' lines and do 'dpkg-buildpackage -rfakeroot'. However 
> I did give the debs a version number of 99 to keep apt from updating them
> until there is a new mozilla version from upstream.

I'd like a black and white clarification of the impact 
of the change so I know for certain whether to be
incredibly pissed off at the packager or not:

"If I were to dselect today, would I still
 be able to print to file a website page 
 as ps?" [Y/N] 

I do this as a matter of course, every single day
to archive data important to projects I work on. I
don't have time to rebuild mozilla myself all the time,
so if the answer to this is that I cannot... I have
four choices in descending order of desirability:

* find someone else with a repository that
  overrides it.

* freeze forever / manually update selected
  packages.

* abandon Debian mozilla

* abandon Debian

If it is true that someone out there is playing with 
things important to my means of making a living, I do 
not appreciate it in the least.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mozilla/Firefox "PostScript/default" security problems

[Brad Sims]

On Thursday 08 July 2004 7:18 pm, Reid Priedhorsky wrote:

> Googling and searching the bug database only yielded a vague claim about a
> remote exploit (bug #247585). I also asked over on debian-user and while
> the flurry of replies showed that the removal decision was controversial
> if not unpopular, no one gave any information on the security problems.
> debian-devel has not turned up anything so far either.

Best anyone on debian-user or in #debian up on freenode can tell me
the only one to notice the potential exploit (frankly I worry more about a
meteor hitting the pc) is the one who removed postscript and 
who closes wishlists asking it back with wont-fix. Upstream still prints
via postscript/default; for what it's worth.

As I understand it the potential is that postscript as nearly turing-complete
it can potentially run commands on your machine while printing 
L337 |-|4><0r Du|)3's web page. Like I said, not all that likely to actually
happen in real life.

But if anyone has more info I too would like to hear it.

If you want postscript back; simply grab the source deb and roll your own; 
just edit rules under the debian folder. Delete the '--with-xprint' and
'--disable-postscript' lines and do 'dpkg-buildpackage -rfakeroot'. However 
I did give the debs a version number of 99 to keep apt from updating them
until there is a new mozilla version from upstream.

-- 
How dare the government intervene to stifle innovation in the computer
industry! That's Microsoft's job, dammit!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]