1. Linux Running in a PDF (doompdf.dev)
114 points by theden 4 hours ago | flag | hide | 37 comments
2. Ingesting PDFs and why Gemini 2.0 changes everything (sergey.fyi)
978 points by serjester 17 hours ago | flag | hide | 323 comments
As people start bolting various kinds of PDF parsers and evaluators to LLMs, there's got to be some interesting hack potential.
Is it able to have data come out of it though, or is it fully... "sandboxed"? I am guessing the only output is the visual feedback you get when it's rendered?
Oh... I guess if you can somehow have it trigger a "load an image with this query string" or something that could be a way to communicate with the rest of the world
PDFs have always been a highly attractive attack vector, because most people associate them purely with text and have no clue that you can easily embed executable code. Combine that with how atrociously many vulnerabilities there are in popular readers like acrobat, and you have a perfect gateway for getting your company hacked.
Converting all your PDF's to max-quality sized DJVU's (at least the ones without forms) would be the first thing to do in any company. Maybe not for graphic design because $ADOBE, but for documentation it's perfectly safe to do so.
I received a spam/scam text yesterday with a PDF embedded in it. I deleted it immediately. I also emailed my clients to let remind them not to open them either.
Finally! I've been making the joke "put Linux.js in a PDF so I can run Linux, inside a PDF, inside a browser, inside Linux, inside a PDF, inside a browser, inside Linux" for far too long...
It's possible, but not in a PDF. PDFs support only a turing incomplete subset of PostScript, because PDF's designers thought that having a turing complete language in your document format would have performance implications. (Later, they changed their mind and added JavaScript support.)
From the computation point of view, it's possible. PostScript has integer arithmetic operations needed for x86 CPU emulation. It also has mutable byte strings, which are useful as emulated memory.
The only place I can get it to run is in Chrome. Wont work in Adobe reader, Firefox, evince etc. Seems most people that do this 'coding in a PDF' only target chrome as a runtime.
Not sure if theres a reason for that like chrome allows more code execution within a document or something?
It can make things worse: Ghostscript is not particularly safe to run on untrusted/potentially malicious input. It has a giant attack surface and no proper mitigations, unlike the PDF reader in your browser.
At a minimum, you'd have to sandbox it using something like gVisor.
How would you structure your workflow to protect from potentially malicious PDFs?
I had originally thought of setting up an inotifywait watcher that would look for downloaded PDFs to swap downloaded files (while leaving a *_with-risky-active-contents.pdf copy).
After thinking for a bit about your comment, I thought about creating a .desktop file that first cleans the PDF via `docker run --runtime=runsc -it ubuntu gs ...` that then proceeds to launch the viewer, and is associated as the main reader of PDF documents...
But now I am wondering if this should be integrated into clamav and other antivirus clients (and unblocking on a case-by-case basis).
GhostScript has -dSAFER as default since decades. If any, you can always use pdf2djvu to convert that PDF into a DJVU file.
On the PDF in your browser... if it runs JS, you can get p0wned twice, even if it's sandboxes. Vuls in browsers are like segfaults with dubious codecs.
PoC||GTFO is a great magazine :) Yay to Travis Goodspeed! Sorry, I wanted to say Pastor Laphroaig. Just don't get him started on his Tennessee buck belt :D
About time someone gets a somewhat intelligent LLM working in js too (I know it can be done now, but like the linux js, there's a very large difference between what existed and what is practical)
Of course one should. One should always explore and satisfy curiosity.
What one shouldn't do is to use any of that for "serious" purpose, but that kind of stuff is apart of what makes computing great - boundaries are in the imagination.
How is it not reasonable? Commenting here is clearly a total waste of life compared to curing cancer, one of the most noblest pursuits, and we've taken it upon ourselves to judge how other people spend their time. And of course once we've decided that I am the arbiter of what other people get to spend their time on, and I've decided
that curing cancer is the most important thing to be working on, anyone not working on that gets sent right to waste of time jail.
Watching TV and playing sports or having a drink with friends, all banned under this regime because that's all unnecessary. I might also be possible that everyone's concept of what's valuable and productive is entirely subjective. Demonstrating that PDFs have JavaScript interpreters these days and are not a static content rendering system, and are not to be trusted, in a way that goes viral for maximum exposure, in the off chance someone learns something about how insecure they are, and they avoid getting hacked seems quite valuable to me, given how much money gets lost to hackers.
No one spends all their time only doing productive things, and some choose to spend it making things that other people find neat enough to share, like this PDF. Other people choose to spend their time commenting here. What else do you do for fun (when you're not off curing cancer)? Why is that any more worthy?
Why does it bother you how others spend their free time?
These "dynamic pdfs" are the anti-thesis of what pdf files are meant to be: static objects containing text that always looks the same. My state dept. of natural resources loves them which means all the regulations are now inaccessible. All I can see in the "pdfs" (not pdfs, pdf shells that are webpages) are the following lines,
"Please wait... If this message is not eventually replaced by the proper contents of the document, your PDF viewer may not be able to display this type of document."
... because they pull down their actual contents using JS from some website. They are the anti-thesis to what a pdf file is meant to be. Truly the worst of both worlds and a huge step backwards in accessibility and longevity. All that a screen reader can read is the above text.
It does, but the headline doesn't. I don't know if it's a nickpick too far, but it should be "X in a PDF in Chromium", as the hack seems as much about Chromium as it is about PDFs.
I would really appreciate if someone could put a decent PDF reader, like Sumatra, into a PDF so I could have a portable and good PDF reader on locked down computers.
If yes, Adobe has this friendly AI assistant forced into your face and overlapping floating toolbar on all sides of your document that you cannot get rid of to get a clean view of the document itself.
So your dream of a simple lightweight clutterfree PDF reader will remain a dream, unfortunately.
True but also, what actually is the best alternative that's also free? Non-rhetorical question, because I am averse to paying for what feels like a universal/commons piece of tech.
I'm not an advanced user of pdfs so I'm not sure if there's anything major missing from these, but either Okular or just the built-in browser ones works well enough for my basic needs of reading and the occasional form filling for the desktop, and on android I use muPdf.
it's wild how shitty and hostile adobe's pdf reader is as a product. If I was in the planning room I'd roast the product as unusually offensive to most sensibilities.
Then again, I'm in no way running a billion dollar successful software company so what do I know?
I actually hit this recently with a Google Docs generated PDF (print -> download) that wasn't rendering correctly in Chrome or Firefox, but did load as expected in Edge.
