[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why does PDFPIC require unsafe mode -U, but PSPIC doesn't?
From: |
G. Branden Robinson |
Subject: |
Re: Why does PDFPIC require unsafe mode -U, but PSPIC doesn't? |
Date: |
Sun, 30 Jul 2023 11:06:25 -0500 |
Hi Michał,
At 2023-07-30T15:43:28+0000, Michał Kruszewski wrote:
> I do not have much knowledge in this area.
Anybody who claims that they know enough about security is selling
something.
> I just came across this interesting blog
> https://cromwell-intl.com/open-source/pdf-not-authorized.html that
> also has some nice references.
I'll bookmark that for further reading--thanks!
> However, right now I wonder when I should be extra careful when using
> groff. -Tpdf is my default choice, and most of my papers include
> images, so I use -U almost all the time.
You've identified the saving grace. If the document source, including
the images, are under _your_ control, or you have audited them for
problems and find them unremarkable, then you should be fine.
Downloading a groff document from an email that promises amusing dancing
elephants thanks to cool PDF features, if only you'll specify the
helpful '-U' flag to groff, is the classic attack profile here.
I have wondered about getting groff's fingers out of this pie by
supporting a generic preprocessor for extracting image dimensions, since
that is all the `psbb` request does, and the only reason the `PDFPIC`
macro requires the `sy` request.
Just running ImageMagick/GraphicsMagick's identify(1) program could do
the job for PostScript and PDF, as well as any future means we develop
of dealing with raster images. But when trying that out I ran into an
amusing problem.
$ identify ./doc/gnu.eps
identify-im6.q16: attempt to perform an operation not allowed by the security
policy `PS' @ error/constitute.c/IsCoderAuthorized/421.
$ identify ./build/doc/groff.pdf
identify-im6.q16: attempt to perform an operation not allowed by the security
policy `PDF' @ error/constitute.c/IsCoderAuthorized/421.
Well, if both file formats are inherently insecure as the article you
linked claims[1], _some_ program is going to have to be authorized to do
insecure things.
When last I raised this idea (probably more vaguely expressed) to this
list, Keith Marshall suggested that it was a terrible notion, but I
could not make complete sense of his reasoning, and it was an idle fancy
anyway given the need to get groff 1.23 out.
Regards,
Branden
[1] "PostScript defines a language with unfixable security problems."
I had long understood this to be the case. I had also thought, I
suppose wrongly, that PDF was more carefully designed so as to not
permit arbitrary computation. But I guess I stand corrected. I see
that this author also recommends prohibiting Microsoft's NIH page
description language XPS. Either page description is too demanding
a problem domain, or as often happens, the profit-driven firms
seeking conquest of sectors of the IT market discard difficult
security management problems in order to accelerate delivery
schedules. Move fast, break stuff, screw your customers.
signature.asc
Description: PGP signature