On Tue, Apr 29, 2008 at 10:18:55PM -0700, Geoffrey Irving wrote:
PS is Turing complete, and does know about dates. So yes, you can make
such conditionals.
I knew postscript was Turing complete, but had (naively) assumed it
executed sandboxed and deterministically and would therefore display
uniformly barring interpreter bugs. Looking over the spec, I can't
find where it's possible to read the current date, but the
usertime/realtime variables are sufficient as long as the attacker
knows how fast the relevant machines are.
usertime and realtime are from the start of the invocation of the
postscript interpreter, not based on the outside world. So, the
interpreter could wait arbitrarily long, but has no way of knowing any
external reference to time.
I could imagine trickery with PDF signatures and their expiration times,
but you shouldn't be able to do anything with the information, so it would
be an exploit, and would probably be fixed.
David
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
