From owner-freebsd-questions@FreeBSD.ORG Sun Nov 11 02:42:52 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06C6516A419 for ; Sun, 11 Nov 2007 02:42:52 +0000 (UTC) (envelope-from chuckr@chuckr.org) Received: from mail4.sea5.speakeasy.net (mail4.sea5.speakeasy.net [69.17.117.6]) by mx1.freebsd.org (Postfix) with ESMTP id D05D213C4A6 for ; Sun, 11 Nov 2007 02:42:51 +0000 (UTC) (envelope-from chuckr@chuckr.org) Received: (qmail 4767 invoked from network); 11 Nov 2007 02:42:38 -0000 Received: from april.chuckr.org (chuckr@[66.92.151.30]) (envelope-sender ) by mail4.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 11 Nov 2007 02:42:38 -0000 Message-ID: <47366BE7.1000202@chuckr.org> Date: Sat, 10 Nov 2007 21:41:43 -0500 From: Chuck Robey User-Agent: Thunderbird 2.0.0.6 (X11/20071107) MIME-Version: 1.0 To: Reko Turja References: <473570FC.7070002@szalbot.homedns.org> <014b01c8237f$3951a590$0a0aa8c0@rivendell> In-Reply-To: <014b01c8237f$3951a590$0a0aa8c0@rivendell> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: zbigniew szalbot , freebsd-questions@freebsd.org Subject: Re: cups-base problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Nov 2007 02:42:52 -0000 Reko Turja wrote: > >> Dear all, >> >> Today I saw a security notice: > > ..snip... > >> cat distinfo >> MD5 (cups-1.3.3-source.tar.bz2) = d4911e68b6979d16bc7a55f68d16cc53 >> SHA256 (cups-1.3.3-source.tar.bz2) = >> 5e9e5670777055293e309cb0cbb2758df9c1275bf648df70478b7389c2d804de >> SIZE (cups-1.3.3-source.tar.bz2) = 4077262 > > Update your ports and INDEX file as it seems that you are installing a > vulnerable version of cups-base. The VuXML report says: > > Affects: > cups-base <1.3.4 > > so the cups-1.3.3 still has the vulnerability mentioned in the report. Actually, I think the worst security problem I've seen is one I don't personally care to fix right now, but I guess I will soon. It's the fact that postscript is actually a language, one that's more general purpose in limitations than many people realize. Isn't that true? I think this means that my postscript interpreter (which is, for me, and I think for most, is ghostscript) should have some security controls on it, to limit postscript's direct access to local machine capabilities. I think that the options in gs for security are too little. It'd be pretty easy to write a really nasty worm. I remember laughing at my Windows friends, back when that Philappines worm hit, but we could get pretty easily hit on gs, or am I all wet? I don't much like pdf, but at least its not succeptible to such a thing, because pdf's not a general purpose language (not a language at all). Nobody's take advantage of it, but it'd be possible to write a general purpose docbook interpreter entirely in postscript. Wonder if modern gs limitations would allow such a big program? Sure would be convenient. > -Rek > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"