zlacker

Converting untrusted PDFs into trusted ones: The Qubes Way (2013)

submitted by kawera+(OP) on 2015-11-10 12:22:27 | 23 points 5 comments
[view article] [source] [links] [go to bottom]
replies(4): >>mpweih+jN1 >>_urga+ZV1 >>legule+7W1 >>whatif+C92
1. mpweih+jN1[view] [source] 2015-11-11 10:01:15
>>kawera+(OP)
"Converting PDFs to bitmaps."
2. _urga+ZV1[view] [source] 2015-11-11 12:37:03
>>kawera+(OP)
Does anyone have experience doing server-side OCR on DOCXs, PDFs etc. safely?
3. legule+7W1[view] [source] 2015-11-11 12:38:34
>>kawera+(OP)
> A somehow better approach is to parse the original PDF, disassemble it into pieces, and then reassemble them into a new PDF only using the “trusted” pieces

I wish this approach was used more often, as it also easily allows you to deprecate stuff in your file formats. What you usually have is a huge mess of code that supports all things that ever existed and often even standards don't drop cruft in the name of backward compatibility.

The current approach leads to big unmaintainable codebases riddled with security holes. Font parsers are a good example for this as can be seen in the google project zero font parsing vulnerability series: http://googleprojectzero.blogspot.de/2015/07/one-font-vulner...

4. whatif+C92[view] [source] 2015-11-11 15:43:40
>>kawera+(OP)
OK, in theory one could use an exploit on the PDF, to compromise the sandboxed converter and create a malicious image. ...in theory.
replies(1): >>matteo+vf2
◧◩
5. matteo+vf2[view] [source] [discussion] 2015-11-11 16:45:35
>>whatif+C92
She explains that: the converter outputs a size and a stream of rgb values, which are easy to parse and verify, and the worst thing that could happen is you get a bad output image.
[go to top]