Mailinglist Archive: opensuse-factory (443 mails)

< Previous Next >
Re: [opensuse-factory] LyX and ImageMagick

Hello,

oly a side note FYI

On Jul 10 20:39 Brüns, Stefan wrote (excerpt):
LyX can work properly even without EPS/PS support, just use PNG, JPEG (or almost any other raster format) or PDF (which e.g. SVG can be converted to) for graphics and illustrations.

I don't know about the details or internals of LyX but
in general PDF is not a secure data format because
a PDF file is also a program (to some extent - PDF is not
a Turing-complete programming language as PostScript), cf.
"It is crucial to limit access to CUPS to trusted users" at
https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings

There are basically same number of security exploits
for Ghostscript written in PDF as in PostScript.

You may also have a look at
"PostScript versus PDF as standard print job format" at
https://en.opensuse.org/Concepts_printing
therein in particular the part about
"There is no such thing as THE PDF format"

Also remember the endless sequence of security issues with
the Adobe Reader which proves that (at least in practice)
PDF is not (and will not be) a secure data format.

And to make all that stuff look finally hopeless:

I remember security issues with much simpler (graphic) data formats
where a maliciously crafted file made certain processing software
misbehave (e.g. segfault) and any misbehaviour of a software
could be misused to let the software do "bad things".

The root cause is that for any processing software its input
is some kind of program (with limited intended functionality)
that controls what the processing software does so in the end
all is about processing arbitrary kind of "programs" from
possibly untrusted origin.

Just happily let your browser automatically process all those
tons of various kind of input data that it gets downloaded
from that "nice and friendly Internet out there" ;-)

From my personal point of view the generic root cause is
https://en.wikipedia.org/wiki/Software_bloat
and in particular a violation of RFC 1925 items 5 and 6a.

Accordingly the generic solution should be along with
https://en.wikipedia.org/wiki/KISS_principle
and in particular
https://en.wikipedia.org/wiki/Unix_philosophy

I think this will not happen in foreseeable future.
But hope dies last...


Kind Regards
Johannes Meixner
--
SUSE LINUX GmbH - HRB 21284 (AG Nuernberg)
GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah
< Previous Next >