Re: Netscape Logic Bomb detailed by IETF
Perry E. Metzger writes:
anonymous-remailer@shell.portal.com writes:
Clearly, someone has a vested interest which they are expending a great deal of effort to protect. My email to Netscape detailing their logic bomb has gone unanswered, and unacknowledged for ten days now.
Maybe because you're an idiot and they don't feel that its necessary to answer. What more need be said?
I see that Perry is as charming as ever? Perry, I just don't think that it is wise to stick your head in the sand and ignore a severe flaw in your algorithm, while actively misrepresenting matters to those people who are not intimately familiar with the IETF.
Those of us who care run our postscript interpreters with all the dangerous commands stripped out,
Perry, I'll call you on that one, cause you simply can't do it. Postscript isn't like any other language around. Operator names have no special significance to the interpreter. You can't just "strip out" dangerous commands. They aren't "reserved" in the sense that operator names are in other languages, like COBOL or BASIC. In Postscript, operator names are simply keys into a LIFO dictionary. This makes Postscript different from other languages because you could redefine these names if you wanted to. Stripping something from a dictionary doesn't matter because, the search sequence is top down. If I rewrite an operator name, and put it at the top of the stack, there's not anything you can do. Gee's Perry, even if you haven't stripped something out, I can rewrite it. And the interpreter will find the rewritten version before the version that's in your machine. And before someone attacks me for an inelegant "style" these potentially confusing antics are routinely used under extraordinary circumstances. There's no malice involved at all, simply real-world operation. And this is why the Request-For-Comments from the IETF warns: "Postscript is an extensible language, and many, if not most, implementations of it provide their own extensions. This document does not deal with such extensions explicitly since they constitute an unknown factor ..." Is that clearer?? If you thought that you had "safety" cause you stripped your interpreter, then you're in trouble, cause that doesn't work.
but given that Netscape doesn't supply postscript interpreters, its not really their fault or problem.
Well, that line might work on those who don't know any better, but that's also why the Internet Engineering Task Force (IETF) tries to protect the public by suggesting that implementors like Netscape not pass the ball: "The execution of general-purpose PostScript interpreters entails serious security risks, and implementors are discouraged from simply sending PostScript email bodies to "off-the-shelf" interpreters." Netscape ignores this suggestion. I guess that Netscape simply knows more (or cares less??) than the entire collected wisdom of the International contributors who make up the IETF. Gee, there's lotsa wisdom over there at Netscape. Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E.
anonymous-remailer@shell.portal.com writes:
I see that Perry is as charming as ever?
And I see that you don't know what you are talking about.
Perry, I just don't think that it is wise to stick your head in the sand and ignore a severe flaw in your algorithm, while actively misrepresenting matters to those people who are not intimately familiar with the IETF.
I wonder if you even know what the IETF is, since you seem to be waving around an organization I work in like it was a mass of chicken entrails.
Postscript isn't like any other language around. Operator names have no special significance to the interpreter. You can't just "strip out" dangerous commands. They aren't "reserved" in the sense that operator names are in other languages, like COBOL or BASIC.
In Postscript, operator names are simply keys into a LIFO dictionary.
If, Mr. Anonymous, you can get a postscript interpreter to do I/O after you have stripped all the system calls that do file I/O out of the C code for the interpreter merely by invoking the names of the I/O commands in the postscript books, you have managed a feat beyond mere spoon bending and ought to be studied by the parapsychologists. In any case, Netscape doesn't write the postscript interpreters and doesn't have built in support for postscript and doesn't ship mailcap files that deal with postscript, so I'd say you are a crank worth ignoring. Perry
anonymous-remailer@shell.portal.com wrote:
Those of us who care run our postscript interpreters with all the dangerous commands stripped out,
Perry, I'll call you on that one, cause you simply can't do it.
Postscript isn't like any other language around. Operator names have no special significance to the interpreter. You can't just "strip out" dangerous commands. They aren't "reserved" in the sense that operator names are in other languages, like COBOL or BASIC.
You're talking about stripping them out *with PostScript code*, which is obviously a dangerous proposition (but is still possible if you do it right, and if systemdict is not read-only as it often is.) If you strip them out by taking the source to the interpreter and stripping them out there, then the PostScript code can be as malicious as it likes; if the interpreter has no access to disk file primitives, it can't read or write files, period. If you don't have source to your interpreter, or it your interpreter is deeply intertwingled with your OS or window system, obviously this will be harder to do. So in that case, you can run a different, smaller interpreter that you can isolate. It's not like they aren't widely available. Of course, if the hypothetical cracker is going to take advantage of buffer-overflow bugs in the interpreter to do what they want, then it doesn't *matter* that it's a PostScript interpreter; at that point, it's just another buggy program.
In Postscript, operator names are simply keys into a LIFO dictionary. This makes Postscript different from other languages because you could redefine these names if you wanted to. Stripping something from a dictionary doesn't matter because, the search sequence is top down.
If I rewrite an operator name, and put it at the top of the stack, there's not anything you can do.
Gee's Perry, even if you haven't stripped something out, I can rewrite it. And the interpreter will find the rewritten version before the version that's in your machine.
I think it would be a really good trick to implement disk I/O in PostScript that will work in an interpreter which didn't provide any disk I/O routines in systemdict.
And this is why the Request-For-Comments from the IETF warns:
"Postscript is an extensible language, and many, if not most, implementations of it provide their own extensions. This document does not deal with such extensions explicitly since they constitute an unknown factor ..."
Is that clearer?? If you thought that you had "safety" cause you stripped your interpreter, then you're in trouble, cause that doesn't work.
Of course it works -- if you know what extensions the interpreter you're running provides and if you've likewise turned off the dangerous ones.
but given that Netscape doesn't supply postscript interpreters, its not really their fault or problem.
Well, that line might work on those who don't know any better, but that's also why the Internet Engineering Task Force (IETF) tries to protect the public by suggesting that implementors like Netscape not pass the ball:
"The execution of general-purpose PostScript interpreters entails serious security risks, and implementors are discouraged from simply sending PostScript email bodies to "off-the-shelf" interpreters."
Netscape ignores this suggestion.
How? As has been pointed out to you, repeatedly, we do not ship a PostScript interpreter, and Netscape does not come configured to *look* for a PostScript interpreter of any kind. When you run it off-the-shelf, and hand it a PostScript file, it says "I've never heard of this. What do you want to do with it?" Just like it would with a perl script. Or an awk script. Or an sh script. Or a Microsoft Word document. Or any other program capable of file I/O or network connections. The user picks the interpreter they want to hand the document to. If anyone ignores this advice you keep repeating, it's the user. Not us.
I guess that Netscape simply knows more (or cares less??) than the entire collected wisdom of the International contributors who make up the IETF.
Stop, I'm getting chills.
Gee, there's lotsa wisdom over there at Netscape.
I'm sure we all love you too. -- Jamie Zawinski jwz@netscape.com http://www.netscape.com/people/jwz/ ``A signature isn't a return address, it is the ASCII equivalent of a black velvet clown painting; it's a rectangle of carets surrounding a quote from a literary giant of weeniedom like Heinlein or Dr. Who.'' -- Chris Maeda
participants (3)
-
anonymous-remailerï¼ shell.portal.com -
Jamie Zawinski -
Perry E. Metzger