I guess this issue can be exploited remotely. If /etc/mailcap uses gs, then we are done: neither -P- nor -dSAFER are defaults. My Debian /etc/mailcap uses gv, and gv knows to use -dSAFER. First "feed" the victim a "bad" PS file named gs_res.ps or pdf_base.ps or similar. No harm done yet. Then "feed" the victim any PS or PDF file: quite likely the old file will have its original name, still in place, in the same place as the new file: gv does not use -P- and our first file will be used. Would it help if I (or someone with actual knowledge) would put together a proof-of-concept demo? Cheers, Paul Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
