[tor-users] FONT at domain.net dangerous ? NoScript

Petrusko petrusko at riseup.net
Thu Sep 7 08:33:28 UTC 2017 

Thx Sean for this answer, so it's really sad to understand it's bugged
and system/browser can be compromised by those fonts :s

So I'm starting to be anxious when I think about all fonts downloaded on
websites (like www.dafont.com ) and added on the system,
sometimes Windows, usually Debian, to use it with Gimp and sometimes
inside other softwares... :ss
Those websites can be a nice way for bad guyz to distribute those bugged
fonts so :'(

Buh! And no way to know if a font is bugged or not ?
When using it inside Gimp for example, no remote execution or something
similar can be done ? Like Firefox in your exemple ?
(kernel powned in Windows, resulting as a BSOD is not really a big
problem on my eyes...)


Le 07/09/2017 à 00:31, Sean Lynch a écrit :
> I would not assume Linux is safe. Font engines are complex beasts,
> giving security bugs plenty of places to hide. Freetype has had 22
> vulnerabilities discovered since 2009 that could have been used to
> execute code, and Graphite, Firefox's current font rendering engine,
> has also had its share. In fact, as recently as April, Firefox had
> BOTH a remote execution font rendering bug *and* a sandbox escape bug
> that perhaps could have been combined to enable executing arbitrary
> code outside the sandbox.
>
> On Wed, Sep 6, 2017 at 2:30 PM Petrusko <petrusko at riseup.net
> <mailto:petrusko at riseup.net>> wrote:
>
>     Buh! Thx Andre for your answer and the link :)
>     Very interesting, but hard to understand for a novice. So I can
>     see it's
>     only Windows problem if I'm not wrong.
>     So on a Linux machine there's no (not know) risk to enable @Font ...
>
>     Thx! ;)
>
>
>     Andre Mankel :
>     > Downloading fonts may be dangerous although the chances are rather
>     > low. But as always, this is subject to many circumstances.
>     >
>     >
>     https://threatpost.com/of-truetype-font-vulnerabilities-and-the-windows-kernel/101263/
>     >
>     > Best wishes
>     > Andre
>
>     --
>     Petrusko
>     C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
>
>
>     _______________________________________________
>     tor-users mailing list
>     tor-users at lists.torproject.org <mailto:tor-users at lists.torproject.org>
>     https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-users
>

-- 
Petrusko
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-users/attachments/20170907/70e3deae/attachment.sig>

More information about the tor-users mailing list