Re: Cite for print-to-postscript exploit in Mozilla?

* Steve Wray <[EMAIL PROTECTED]> [040712 22:13]: > I discovered that I had to unpack a .jar file, edit files inside it and > then pack it up again; the 'config files' under /etc just arn't enough. I think you do not have to repack them. At least startup-page works via getting a region.properties

Re: Cite for print-to-postscript exploit in Mozilla?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 13 July 2004 01:56, Florian Weimer wrote: > * Kevin B. McCarty: > > On 07/10/2004 12:18 PM, Florian Weimer wrote: > >> 1.7 incorporates some other security fixes, apparently in the area > >> of cross-domain scripting vulnerabilities. So you

Re: Cite for print-to-postscript exploit in Mozilla?

* Kevin B. McCarty: > On 07/10/2004 12:18 PM, Florian Weimer wrote: > >> 1.7 incorporates some other security fixes, apparently in the area of >> cross-domain scripting vulnerabilities. So you probably should >> upgrade anyway. > > Does anyone know if there is some reason these fixes haven't been

Re: Cite for print-to-postscript exploit in Mozilla?

On 07/10/2004 12:18 PM, Florian Weimer wrote: > 1.7 incorporates some other security fixes, apparently in the area of > cross-domain scripting vulnerabilities. So you probably should > upgrade anyway. Does anyone know if there is some reason these fixes haven't been backported to woody? regards

Re: Cite for print-to-postscript exploit in Mozilla?

* Kevin B. McCarty: > I admit this last question is a bit rhetorical. My point is that, as > sysadmin of a physics cluster running Debian/woody on which people > frequently look at downloaded PS files anyway, I want to know whether it > is really worth my time to upgrade Mozilla [currently runnin

Re: Cite for print-to-postscript exploit in Mozilla?

Well caught. I was only trying to find what could be the original claim ;-) After reading what I found, I was thinking of an inclusion of a postscript file or a user sending it to print through the browser, not HTML rendered by the browser... On Fri, 2004-07-09 at 12:44, Alan Shutko wrote: > I

Re: Cite for print-to-postscript exploit in Mozilla?

> On a related note, does anyone know if xpdf takes (or can be made to > take) the same sort of precautions? After all, a PDF is basically just > a PS file, so I imagine the same sorts of attack are possible. PDF is PostScript with a lot of operators removed and some added. Among those removed a

Re: Cite for print-to-postscript exploit in Mozilla?

On Fri, Jul 09, 2004 at 05:00:30PM -0500, Reid Priedhorsky wrote: > Mozilla and friends can generate PostScript directly, or they can depend > on Xprint to do so. It is the latter which has been disabled. The former > works well for some and poorly to not at all for others (myself included). I be

Re: Cite for print-to-postscript exploit in Mozilla?

On Fri, Jul 09, 2004 at 12:18:30PM -0300, Henrique de Moraes Holschuh wrote: > OTOH, maybe the postscript code in mozilla itself has a security hole. But > the right thing to do would be to *fix* that instead, not to drop it. Question: are you saying that Mozilla based browsers (eg Galeon) can no

Re: Cite for print-to-postscript exploit in Mozilla?

Ian Douglas <[EMAIL PROTECTED]> writes: > http://www.imc.org/ietf-822/old-archive1/msg01346.html > > Is probably what is being refered to... But it's not clear that there's any way for a web page to inject postscript into Mozilla's print-to-ps output. If there isn't, it's just as safe as Xprint,

Re: Cite for print-to-postscript exploit in Mozilla?

[Snipping practically all of the cross-post distribution.] Quoting Kevin B. McCarty ([EMAIL PROTECTED]): > But is there any way in which Mozilla's print-to-postscript is _less_ > safe than using gv to open up a random PostScript file found somewhere > on the Internet? Thus the -dSAFER option, wh

Re: Cite for print-to-postscript exploit in Mozilla?

On Fri, 09 Jul 2004, Ian Douglas wrote: > I guess if you really wanted to get fancy you could setup postscript > rendering as service in a chrooted jail, so it doesn't really matter if > anything runs as it will not have access to the OS file system or > services. Doesn't just about anything that

RE: Re: Cite for print-to-postscript exploit in Mozilla?

t;[EMAIL PROTECTED]> To: Ian Douglas <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Cite for print-to-postscript exploit in Mozilla? Date: Fri Jul 09 14:18:51 GMT 2004 >On 07/09/2004 04:02 PM, Ian Douglas wrote: >

Re: Cite for print-to-postscript exploit in Mozilla?

On 07/09/2004 04:02 PM, Ian Douglas wrote: > http://www.imc.org/ietf-822/old-archive1/msg01346.html > > Is probably what is being refered to... Thanks for the link! (Wow, foreshadowing of virus infections via email attachments...) But is there any way in which Mozilla's print-to-postscript is _

RE: Cite for print-to-postscript exploit in Mozilla?

http://www.imc.org/ietf-822/old-archive1/msg01346.html Is probably what is being refered to... Ian -Original Message- From: "Kevin B. McCarty" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: C

Cite for print-to-postscript exploit in Mozilla?

Hi, I would like to know where you found the security advisory that you cited in your email to Debian Bugs # 252362 and 247585. Inquiring minds would like to know what sort of exploit can be produced by the print-to-postscript option in Mozilla and Firefox (especially since it is still enabled by