DigiNews

Summary

The article analyzes a vulnerability chain in a deployment that uses Apache FOP to generate PostScript from user-supplied XML and GhostScript to render PDFs. It explains how PostScript escaping and line-wrapping can be manipulated to inject and execute arbitrary PostScript commands, potentially bypassing the sandbox and accessing the file system. The piece references a CVE and discusses the implications for security, noting that Apache FOP’s maintainers do not plan a fix and that security properties should be better documented.