I guess this issue can be exploited remotely. If /etc/mailcap uses gs, then we are done: neither -P- nor -dSAFER are defaults.
My Debian /etc/mailcap uses gv, and gv knows to use -dSAFER. First "feed" the victim a "bad" PS file named gs_res.ps or pdf_base.ps or similar. No harm done yet. Then "feed" the victim any PS or PDF file: quite likely the old file will have its original name, still in place, in the same place as the new file: gv does not use -P- and our first file will be used. Would it help if I (or someone with actual knowledge) would put together a proof-of-concept demo? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
