| <<<Back 1 day (to 2020/02/04) | Fwd 1 day (to 2020/02/06) >>> | 20200205 |
Gitinh4 | hey kens, how you doing? I tried to use the gs commandline to generate a pdf and then edit it with the /XObject, well seems that doing such change breaks the whole xref pointer and I still can not come up with the exact offset. Look the example here: https://dpaste.org/0Ybo/raw | 10:11.45 |
kens | PDF files are binary files, and they cannot readily be edited. | 10:12.22 |
| If you change the number of bytes in the file then you must recalculate at least some of the offsets in the xref tbale, possibly all of them. | 10:13.01 |
| Figuring out the offset is not hard, open the file in a binary editor, find teh offset of for example the x in xref, that's the value for 'startxref' | 10:13.34 |
| For other objects its the offset of the object number eg the 1 in 1 0 obj | 10:13.54 |
| I can't tell you what the values in your xref table should be because this is a pastebin, so I have no idea what hte line endings are, whether the white spaces are spaces or tabs, etc. | 10:14.34 |
| Out for a couple of hours | 10:28.02 |
weijunli | hey chrisl, around? | 12:51.05 |
| i think ive solved the offset thing but now i bumped into something else | 12:51.18 |
| https://dpaste.org/xUct/raw | 12:51.21 |
chrisl | weijunli: And? | 13:01.34 |
weijunli | chrisl, it seems to be a valid .pdf now at least i can open it.. but it doesnt create the output1.txt declared on the XObject | 13:02.10 |
chrisl | What are you using to open it? | 13:02.46 |
weijunli | default pdf viewer from ubuntu 16.04 | 13:05.37 |
| ´Document Viewer´ | 13:05.51 |
chrisl | So, no Postscript interpreter then | 13:06.06 |
weijunli | Oh.. can you suggest a viewer with ps interpreter that i can just apt install ? | 13:07.18 |
chrisl | The only one around is Ghostscript | 13:07.32 |
weijunli | hmm | 13:08.23 |
| I got **** Error: stream Length incorrect. | 13:08.25 |
| Output may be incorrect. | 13:08.26 |
| how to i calc the exact stream len? | 13:08.50 |
chrisl | No one is going to devote time to implementing Postscript inside PDF to support a feature deprecated since 2001 | 13:08.51 |
| weijunli: It's the number of bytes in the stream | 13:09.21 |
| weijunli: This is all covered in the PDF spec | 13:09.54 |
weijunli | It says Page 1 has stream length incorrect | 13:14.20 |
| but i didnt set any stream on Page 1 though | 13:14.28 |
chrisl | 5 0 obj | 13:15.41 |
| <</Length 30>> | 13:15.41 |
| stream | 13:15.41 |
| endstream | 13:15.41 |
| endobj | 13:15.41 |
| Object 5 is the content stream for the first page | 13:16.16 |
| Hence the warning is *very* clearly correct | 13:16.36 |
weijunli | Length 0 is the right size? | 13:18.30 |
chrisl | "Length integer (Required) The number of bytes from the beginning of the line fol- | 13:19.00 |
| lowing the keyword stream to the last byte just before the keyword | 13:19.00 |
| endstream . (There may be an additional EOL marker, preceding | 13:19.00 |
| endstream , that is not included in the count and is not logically part | 13:19.00 |
| of the stream data.) See “Stream Extent,” above, for further discus- | 13:19.00 |
| sion." | 13:19.01 |
weijunli | chrisl, I can run the pdf with `gs my.pdf` without any errors but still doesnt create the file | 13:23.47 |
chrisl | weijunli: Well, I say that Postscript XObjects have been "deprecated since 2001 and disabled since 2008" | 13:24.59 |
weijunli | in order to test if it is indeed working properly I'd need to downgrade the gs to a 2000 version? | 13:26.28 |
| Also, what are the objects that replaced the XObjects? By replace I mean, the language that has similar features as PS and still supported on pdfs ? | 13:27.03 |
chrisl | weijunli: I think we're done here: none of this is relevant to subject of this channel | 13:29.12 |
| If you want to run Postscript, run a Postscript file. | 13:29.37 |
weijunli | Different subjects same course though, ppl might be interesting in such discussions as anyone is really asking any questions besides me | 13:32.49 |
| and i pretty much believe this is one of the best # to do it, in this matter | 13:33.04 |
| Im reading the PDF 1.7 official doc, and it has a page dedicated to postscript compatibility. Is Xobject completely deprecated or there's few features that still work? | 13:34.04 |
chrisl | *Postscript* XObjects are completely deprecated - in fact, I'm not sure Acrobat has *ever* supported them | 13:34.50 |
kens | I think they've been removed altogether from the current (PDF 2.0) specification | 13:35.22 |
chrisl | There *might* be at most 4 PDF implementation around the world that actually *ever* supported them | 13:35.38 |
| And definitely only one open source implementation..... | 13:36.30 |
weijunli | Got it.. Where can I see all /Types supported by a pdf ? I am interested in seeing what stream data (languages I can put in a pdf) | 13:39.09 |
| also, is the -dSAFER sandbox escape reported by `Taviso` still work on the version GPL Ghostscript 9.26 (2018-11-20) ? | 13:40.00 |
| Another thing, the XObject may be removed on 2.0 but there are alot of docs that still use other pdf versions like 1.7, 1.4 | 13:43.16 |
| how that works out? | 13:43.34 |
chrisl | Given that no widely used PDF consumers ever supported Postscript XObjects, it really makes no difference | 13:45.04 |
weijunli | chrisl, are you the guy that committed the fix for Tavis bug right | 13:48.03 |
chrisl | Which Tavis bug? There were several. I did most of them, I think, but others were involved, too | 13:48.44 |
weijunli | https://www.openwall.com/lists/oss-security/2018/10/09/4 | 13:49.05 |
chrisl | Yes, that was me | 13:49.48 |
weijunli | that exploit works on the version i said above? | 13:50.06 |
chrisl | No | 13:50.27 |
weijunli | Any public exploit that does work on that version? thats the version the internal app I told about uses. | 13:52.31 |
chrisl | There probably are, yes. Although, even if you enable Postscript XObjects in PDF, I doubt any of the exploits will work as they were reported | 13:54.14 |
kens | I'm reaonably certain teh ones that rely on exploting the error handler won't work, since the PDF interpreter runs a lot of stuff in stopped and therefore doesn't invoke the error handler. Even if it did, the stack shape (which the explout relies on) will likely be different | 13:55.43 |
| Making a PS XObject is not a good way to test a PostScript explout | 13:56.03 |
weijunli | hmm. I´d appreciate if you guys could share some material to get a bigger picture. Only public stuff ofc. | 13:57.27 |
kens | I think we've gone about as far as we can. If you want to test one of the public exploits, try it in PostScript, not PDF. | 13:58.00 |
weijunli | I understand.. I tried the exploit on that link on the version I said, and I get Error: /undefined in GS_PDF_ProcSet | 13:59.07 |
kens | Yep | 13:59.19 |
| We hid teh definition of the ProcSet as part of one of teh fixes | 13:59.30 |
weijunli | Alright. Thanks alot ;) will poke around a little bit | 14:00.15 |
chrisl | If you're using a Linux distro package of gs, it may well have been patched with the security fixes as they were published | 14:00.19 |
kens | Yes, that's a good point. | 14:00.36 |
weijunli | Cool. Thanks for your attetion | 14:01.03 |
chrisl | And understanding the way the exploits work would mean a pretty deep understanding of Postscript, and some specifics about the Ghostscript implementation | 14:01.38 |
| And *then* understanding why it wouldn't work in a PDF would mean getting at least some understanding of the Ghostscript PDF interpreter | 14:02.18 |
kens | That would be 'challenging' | 14:02.33 |
| <<<Back 1 day (to 2020/02/04) | Forward 1 day (to 2020/02/06)>>> | |