| |||||||||||||
pstotext: remote execution of arbitrary codepstotext: remote execution of arbitrary codePosted Mar 30, 2006 10:11 UTC (Thu) by nix (subscriber, #2304)Parent article: pstotext: remote execution of arbitrary code
If that's a remote execution vulnerability, then so is *anything*.
I'd rather that 'remote execution' be reserved for cases where the vulnerable application is directly involved in reception of messages from remote sources. It's widely-known that once you've got in via some other attack vector (e.g. the social-engineering attack mentioned here), then local vulnerabilities become significant, but that doesn't make all local vulnerabilities remote ones as well.
(Log in to post comments)
pstotext: remote execution of arbitrary code Posted Mar 30, 2006 13:58 UTC (Thu) by mv (subscriber, #17258) [Link] I can't say for other distributions, but in the case of Debian and pstotext this vulnerability can actually be exploited from remote with only little user input. pstotext is listed in mailcap and gets invoked by various programs when the user chooses to display the postscript. Like, I send you an email with a .ps attached, you read the mail in mutt and press 'v' + enter to display the postscript. If $DISPLAY is not set or there are no other viewers installed, pstotext will be invoked and happily execute an embedded shellscript, do file IO, etc.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319758
Not that I disagree with your point, though.
|
|||||||||||||