groff
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why does PDFPIC require unsafe mode -U, but PSPIC doesn't?

From: Michał Kruszewski
Subject: Re: Why does PDFPIC require unsafe mode -U, but PSPIC doesn't?
Date: Sun, 30 Jul 2023 15:43:28 +0000 
I do not have much knowledge in this area.
I just came across this interesting blog 
https://cromwell-intl.com/open-source/pdf-not-authorized.html that also has 
some nice references.

However, right now I wonder when I should be extra careful when using groff.
-Tpdf is my default choice, and most of my papers include images, so I use -U 
almost all the time.

Best regards,
Michał Kruszewski

Sent with Proton Mail secure email.

------- Original Message -------
On Sunday, July 30th, 2023 at 12:26 PM, G. Branden Robinson 
<g.branden.robinson@gmail.com> wrote:


> Hi Michał,
> 
> At 2023-07-30T08:29:35+0000, Michał Kruszewski via wrote:
> 
> > Why does PDFPIC require unsafe mode -U, but PSPIC doesn't?
> 
> 
> troff(1):
> -U Operate in unsafe mode, enabling the open, opena, pi, pso, and
> sy requests, which are disabled by default because they allow an
> untrusted input document to write to arbitrary file names and
> run arbitrary commands. [...]
> 
> pdfpic.tmac uses the `sy` (and, post-groff 1.23.0, `pso`) requests;
> pspic.tmac does not.
> 
> > If I understand correctly one can easily execute shell commands from
> > PostScript.
> 
> 
> I didn't know that. At the same time, (a) the formatter itself does not
> interpret general PostScript,[1] and (b) the grops(1) output driver
> doesn't either; it produces PostScript[2]. If interpretation of
> PostScript is security-hazardous, it is the PostScript interpreter that
> needs to be managed. I suppose that GhostScript's often-seen (and
> now-default) `-dSAFER` option addresses this issue.[3]
> 
> Does this help?
> 
> Regards,
> Branden
> 
> [1] The formatter's `psbb` request performs limited interpretation of
> PostScript to extract bounding box information.
> 
> https://git.savannah.gnu.org/cgit/groff.git/tree/src/roff/troff/input.cpp?h=1.23.0#n6549
> 
> [2] A document can embed arbitrary content into troff output by means of
> the `\\!` escape sequence and `output` request. The former is a CSTR
> #54 feature. Whether this constitutes an attack surface would
> depend on how the output driver is written.
> 
> [3] https://ghostscript.com/docs/9.54.0/Use.htm
reply via email to
[Prev in Thread] Current Thread [Next in Thread]