cups-base problem

[Chuck Robey]

Reko Turja wrote:
> 
>> Dear all,
>>
>> Today I saw a security notice:
> 
> ..snip...
> 
>> cat distinfo
>> MD5 (cups-1.3.3-source.tar.bz2) = d4911e68b6979d16bc7a55f68d16cc53
>> SHA256 (cups-1.3.3-source.tar.bz2) = 
>> 5e9e5670777055293e309cb0cbb2758df9c1275bf648df70478b7389c2d804de
>> SIZE (cups-1.3.3-source.tar.bz2) = 4077262
> 
> Update your ports and INDEX file as it seems that you are installing a 
> vulnerable version of cups-base. The VuXML report says:
> 
> Affects:
> cups-base <1.3.4
> 
> so the cups-1.3.3 still has the vulnerability mentioned in the report.

Actually, I think the worst security problem I've seen is one I don't 
personally care to fix right now, but I guess I will soon.  It's the 
fact that postscript is actually a language, one that's more general 
purpose in limitations than many people realize.  Isn't that true?  I 
think this means that my postscript interpreter (which is, for me, and I 
think for most, is ghostscript) should have some security controls on 
it, to limit postscript's direct access to local machine capabilities.
I think that the options in gs for security are too little.  It'd be 
pretty easy to write a really nasty worm.  I remember laughing at my 
Windows friends, back when that Philappines worm hit, but we could get 
pretty easily hit on gs, or am I all wet?

I don't much like pdf, but at least its not succeptible to such a thing, 
because pdf's not a general purpose language (not a language at all). 
Nobody's take advantage of it, but it'd be possible to write a general 
purpose docbook interpreter entirely in postscript.  Wonder if modern gs 
  limitations would allow such a big program?  Sure would be convenient.

> -Rek
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"