Hi Michał, At 2023-07-30T15:43:28+0000, Michał Kruszewski wrote: > I do not have much knowledge in this area.
Anybody who claims that they know enough about security is selling something. > I just came across this interesting blog > https://cromwell-intl.com/open-source/pdf-not-authorized.html that > also has some nice references. I'll bookmark that for further reading--thanks! > However, right now I wonder when I should be extra careful when using > groff. -Tpdf is my default choice, and most of my papers include > images, so I use -U almost all the time. You've identified the saving grace. If the document source, including the images, are under _your_ control, or you have audited them for problems and find them unremarkable, then you should be fine. Downloading a groff document from an email that promises amusing dancing elephants thanks to cool PDF features, if only you'll specify the helpful '-U' flag to groff, is the classic attack profile here. I have wondered about getting groff's fingers out of this pie by supporting a generic preprocessor for extracting image dimensions, since that is all the `psbb` request does, and the only reason the `PDFPIC` macro requires the `sy` request. Just running ImageMagick/GraphicsMagick's identify(1) program could do the job for PostScript and PDF, as well as any future means we develop of dealing with raster images. But when trying that out I ran into an amusing problem. $ identify ./doc/gnu.eps identify-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/421. $ identify ./build/doc/groff.pdf identify-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/421. Well, if both file formats are inherently insecure as the article you linked claims[1], _some_ program is going to have to be authorized to do insecure things. When last I raised this idea (probably more vaguely expressed) to this list, Keith Marshall suggested that it was a terrible notion, but I could not make complete sense of his reasoning, and it was an idle fancy anyway given the need to get groff 1.23 out. Regards, Branden [1] "PostScript defines a language with unfixable security problems." I had long understood this to be the case. I had also thought, I suppose wrongly, that PDF was more carefully designed so as to not permit arbitrary computation. But I guess I stand corrected. I see that this author also recommends prohibiting Microsoft's NIH page description language XPS. Either page description is too demanding a problem domain, or as often happens, the profit-driven firms seeking conquest of sectors of the IT market discard difficult security management problems in order to accelerate delivery schedules. Move fast, break stuff, screw your customers.
signature.asc
Description: PGP signature
