On Tue, Jul 10, 2001 at 11:23:53AM +0100, Paul Jakma wrote:
> just reading some tanenbaum last night and a little point came up:
> Postscript is a programming language and can do file I/O etc... and
> his point was: mail clients might automatically run postscript
> attachments through an interpreter.
yes. however read http://www.cert.org/advisories/CA-1995-10.html and
note the solution.
> so what happens if a postscript file that does whatever the postscript
> equivalent of rm -rf ~/* gets run through ghostscript?
as long as ghostscript was invoked with -dSAFER, it should be fine.
> if the worst case: does this mean Unix has had a mail scripting hole
> long long before Outlook+vb came along?
unix had a slew of such holes. emacs mode lines, malicious explotation
of . $PATH. others i'm sure. unix security, for most of the past thirty
years, was an oxymoron. what annoys me about microcomputer os/app vendors
is that they've chosen to completely ignore the lessons learned on unix
and mainframes. surely a few *new* mistakes would be nice rather then
just remaking the old ones (albeit on a larger and more public fashion).
kevin at suberic.net "linux is a cancer" --steve ballmer
fork()'ed on 37058400 "released 25 august 1991, linux is a virgo" --me
meatspace place: home linux, not just a star-sign:
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!