Re: [hylafax-users] Ghostscript vulnerability

[Lee Howard <faxguy@xxxxxxxxxxxxxxxx>]

Uwe Dippel wrote:
> Lee Howard wrote:
> > The vulnerability for HylaFAX deployments is mitigated by the amount 
> > of trust in the allowed fax senders.  If your sender pool is quite 
> > restricted and well-trusted then your exposure is quite limited.  If 
> > your sender pool is quite open and untrusted (i.e. TPC cells) then 
> > you may be at greater risk.
>
> Howard, If I am not mistaken, some are completely protected: 
> Receive-Only installs cannot be overrun.
> Actually, since it is a buffer overflow in ghostscript for incoming 
> .ps files, *any* install / setup, in which users cannot deliver 
> PostScript files to hylafax are save. (Most can, though, I guess.)

I believe that this is correct on all points.

Be aware, though, that I have seen many receive-only systems later get 
re-used as a receive+send system... so it's important to not only 
consider how the system is being used presently, but also how it may 
possibly be used in the future.

Again, I wasn't trying to raise any serious alarm.  Most deployments are 
not likely to be imminently exploited... but as there are many 
consultants and IT professionals on this list who are expected to be 
aware of these kinds of risks, I simply wanted to raise awareness.

Thanks,

Lee.


____________________ HylaFAX(tm) Users Mailing List _______________________
 To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
 *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*