On Wed, Jul 6, 2016, at 10:28 PM, Ian Jackson wrote:
> Kan-Ru Chen writes ("Re: Bug#830143: mupdf's libjs can talk to the
> terminal and interact"):
> > Thanks for the report. Why did you think this is Severity: serious and
> > Tags: security? Is the js console vulnerable to arbitrary code
> > execution?
>
> My initial report describes a denial of service on a web browser.
While blocking the GUI because the program is reading from the tty is
bad user experience, I don't think it's a security issue since it
requires you to use the special configuration of firefox. MuPDF is
normally executed from command line.
Anyway I will make a patch to disable this feature in next upload
because I think it's a poor implementation and very confusing. I'll
forward this issue to upstream.
Thanks again for reporting.
Kanru
> Ian.
