[texhax] Duff email rokicki at radicaleye.com

Reinhard Kotucha reinhard.kotucha at web.de
Mon Aug 28 22:50:14 CEST 2006


>>>>> "Tom" == Tom Schneider <toms at ncifcrf.gov> writes:

  > One converts from dvi to postscript with a program called
  > ghostscript.  Generally there is a script called dvips that does
  > this.

Actually the conversion from dvi to ps is done by dvips and
ghostscript is not involved.  I'm sure you know this, Tom, but maybe
you thought about xdvi which calls ghostscript to render graphics.

  > It's a text file, for goshs sake, so I am not worried about
  > viruses.  You are entering the world of open source software where
  > we do not generally need to worry about viruses!  Why?  Because
  > it's a text file and I have no intention (and couldn't) execute
  > it.  Get a Mac or a Linux box and you won't worry either.

If you talk about PostScript files you should be a little bit more
worried about viruses.

A PS file is not just a text file, it's a program.  PostScript is a
very powerful programming language.  A PostScript program can contain
malicious code.  In particular, it can create arbitrary files.  It
also can read from an other PS file and execute the code.  It cannot
execute other programs, though.

The ability to generate files is quite dangerous under Windows because
it can make the files executable by applying an extension like .exe,
.bat, .vba ... to the filename.  Under UNIX it is safer because it is
required to execute the program chmod to make a file executable.  But
PostScript doesn't allow this.

However, a PostScript file can not cause any damage itself.  It needs
an interpreter to be executed.

Some printers have PS interpreters built in.  Maybe there is not very
much which can be damaged there.  But it depends on the printer.  But
what a PS program always can do is to put the interpreter into an
endless loop.

Another PS interpreter is Ghostscript.  GS does not write to files
unless you explicitely allow it to do so.  There are no known security
holes in Ghostscript.  The opposite is the case:  The paranoia of GS
developers often results in inconveniences.

Tom said that open source software is more secure.  Why?  Simply
because if you make the sources available to millions of people you
can be sure that at least hundred experts look into the sources in
order to find security holes.  At least Linux and *-BSD distributors
are extremely careful in this respect.

Regards,
  Reinhard

-- 
----------------------------------------------------------------------------
Reinhard Kotucha			              Phone: +49-511-4592165
Marschnerstr. 25
D-30167 Hannover	                      mailto:reinhard.kotucha at web.de
----------------------------------------------------------------------------
Microsoft isn't the answer. Microsoft is the question, and the answer is NO.
----------------------------------------------------------------------------




More information about the texhax mailing list