My favorite RCE, FORCEDENTRY[0], also involved PDFs. It was the first time I was truly in awe of an exploit.<p>Through a combination of (1) an integer overflow in an open-source PDF compression library, (2) a Turing-complete compression codec, and (3) CoreGraphics noticing that the "gif" in your iMessage is actually a PDF and helpfully decoding it for you, NSO was able to bootstrap a purpose-built virtual machine, upon which they ran their sandbox-escape.<p>I highly recommend reading this post[1] by Project Zero if you haven't already.<p>[0]<a href="https://en.wikipedia.org/wiki/FORCEDENTRY" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/FORCEDENTRY</a><p>[1]<a href="https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html" rel="nofollow noreferrer">https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...</a>
I've said it before and I'll say it again: ghostscript will never be safe, ever.<p>If you must run it then make it 100% isolated, for instance in a lambda with no api credentials or IAM permissions, & do s3 input/output by passing presigned urls. Make it ok to have RCE.
The article is from yesterday and at first it scared me into thinking it was yet another vulnerability. Turns out it's from weeks ago and Debian patched it 10 days ago. Whew.