[texhax] Duff email rokicki at radicaleye.com

Tom Schneider toms at ncifcrf.gov
Mon Aug 28 23:04:52 CEST 2006


>   > One converts from dvi to postscript with a program called
>   > ghostscript.  Generally there is a script called dvips that does
>   > this.
> Actually the conversion from dvi to ps is done by dvips and
> ghostscript is not involved.  I'm sure you know this, Tom, but maybe
> you thought about xdvi which calls ghostscript to render graphics.

I looked again and you are right, dvips is a executable program.  I
must have done something odd ...

>   > It's a text file, for goshs sake, so I am not worried about
>   > viruses.  You are entering the world of open source software where
>   > we do not generally need to worry about viruses!  Why?  Because
>   > it's a text file and I have no intention (and couldn't) execute
>   > it.  Get a Mac or a Linux box and you won't worry either.
> If you talk about PostScript files you should be a little bit more
> worried about viruses.
> A PS file is not just a text file, it's a program.  PostScript is a
> very powerful programming language.  A PostScript program can contain
> malicious code.  In particular, it can create arbitrary files.  It
> also can read from an other PS file and execute the code.  It cannot
> execute other programs, though.

Good point.

> The ability to generate files is quite dangerous under Windows because
> it can make the files executable by applying an extension like .exe,
> .bat, .vba ... to the filename.  Under UNIX it is safer because it is
> required to execute the program chmod to make a file executable.  But
> PostScript doesn't allow this.
> However, a PostScript file can not cause any damage itself.  It needs
> an interpreter to be executed.

Right.  I don't live in the windows world.  So if I had a nasty
PostScript program running the most it would do would be mess with my
files and nothing of the system would be affected.

Of course if it DID mess with my files I could look into the code to
figure out what it did and then trace back to the source ...

> Some printers have PS interpreters built in.  Maybe there is not very
> much which can be damaged there.  But it depends on the printer.  But
> what a PS program always can do is to put the interpreter into an
> endless loop.

Hmm.  Maybe that explains why some scientific papers have hung our
printers on occasion ...

> Another PS interpreter is Ghostscript.  GS does not write to files
> unless you explicitely allow it to do so.  There are no known security
> holes in Ghostscript.  The opposite is the case:  The paranoia of GS
> developers often results in inconveniences.
> Tom said that open source software is more secure.  Why?  Simply
> because if you make the sources available to millions of people you
> can be sure that at least hundred experts look into the sources in
> order to find security holes.  At least Linux and *-BSD distributors
> are extremely careful in this respect.



  Dr. Thomas D. Schneider
  National Institutes of Health
  National Cancer Institute
  Center for Cancer Research Nanobiology Program
  Molecular Information Theory Group
  Frederick, Maryland  21702-1201
  toms at ncifcrf.gov
  permanent email: toms at alum.mit.edu (use only if first address fails)

More information about the texhax mailing list