Linux Running in a PDF
115 comments
·February 6, 2025surrTurr
firtoz
You will need to pipe it into the scanner in a loop, making sure to circle the correct keys before each scan
layer8
PDF actually has the ability to define which elements are displayed vs. printed (Optional Content).
conorreedydev
[flagged]
neilv
1. Linux Running in a PDF (doompdf.dev)
114 points by theden 4 hours ago | flag | hide | 37 comments
2. Ingesting PDFs and why Gemini 2.0 changes everything (sergey.fyi)
978 points by serjester 17 hours ago | flag | hide | 323 comments
mrweasel
Linux running in a LLM, as a means to hijack computing resources to train an LLM... or mine bitcoins.
firtoz
Is it able to have data come out of it though, or is it fully... "sandboxed"? I am guessing the only output is the visual feedback you get when it's rendered?
Oh... I guess if you can somehow have it trigger a "load an image with this query string" or something that could be a way to communicate with the rest of the world
sigmoid10
PDFs have always been a highly attractive attack vector, because most people associate them purely with text and have no clue that you can easily embed executable code. Combine that with how atrociously many vulnerabilities there are in popular readers like acrobat, and you have a perfect gateway for getting your company hacked.
anthk
Converting all your PDF's to max-quality sized DJVU's (at least the ones without forms) would be the first thing to do in any company. Maybe not for graphic design because $ADOBE, but for documentation it's perfectly safe to do so.
sigmoid10
Unfortunately that approach falls apart the moment you need to interact with anyone outside your company.
lemonberry
I received a spam/scam text yesterday with a PDF embedded in it. I deleted it immediately. I also emailed my clients to let remind them not to open them either.
deltarholamda
PDF is brushing up against "more harm than good". Wish there was a proper alternative.
niutech
How about OpenXPS or DjVu?
forgotpwd16
Posted few days ago: https://news.ycombinator.com/item?id=42891937. Repo also provides some explanation/info on how the machinery works.
frabert
Finally! I've been making the joke "put Linux.js in a PDF so I can run Linux, inside a PDF, inside a browser, inside Linux, inside a PDF, inside a browser, inside Linux" for far too long...
shlomo_z
not exactly. This PDF cannot open a browser... yet!
nialv7
Using JS for this feels like cheating... I wonder if similar things would be possible with PostScript?
bla3
It's possible, but not in a PDF. PDFs support only a turing incomplete subset of PostScript, because PDF's designers thought that having a turing complete language in your document format would have performance implications. (Later, they changed their mind and added JavaScript support.)
dtech
At least PDFs are generally usable with JS disabled, and it's not available in popular variants like PDF/A and PDF/X
ptspts
From the computation point of view, it's possible. PostScript has integer arithmetic operations needed for x86 CPU emulation. It also has mutable byte strings, which are useful as emulated memory.
anthk
PostScript it's Turing Complete. Get GhostScript, zmachine.ps and some game, such as calypso.z3. You can just ddg/google them freely.
anthk
With PostScript you have zmachine.ps which is a ZMachine (zork and friends) interpreter to play text adventure games.
And OFC there's a chess engine in PS, a tic tac toe, and with patience you could even play NES games, but you might need to play with the stack a lot.
karel-3d
Finally, I can `rm -rf /` in a PDF.
DonHopkins
PostScript supports that via the "shredpage" operator.
timwheeler
Poetic
luismedel
Copy 10 of these in an USB drive. Enjoy your mobile Kubernetes cluster.
sillyboi
At least three detections on VirusTotal, but I'm not sure if it's significant.
ClamAV: Js.Trojan.Obfus-48
Cylance: Unsafe
Google: Detected
nanna
But is there a Linux PDF editor that runs Linux in a PDF? Evince isn't loading it for me...
alt227
The only place I can get it to run is in Chrome. Wont work in Adobe reader, Firefox, evince etc. Seems most people that do this 'coding in a PDF' only target chrome as a runtime.
Not sure if theres a reason for that like chrome allows more code execution within a document or something?
rolandog
Does anyone know if running PDFs through the following filter (as in [0]) prevent malicious actors?
gs \
-dNOPAUSE \
-sDEVICE=pdfwrite \
-sOUTPUTFILE=clean.pdf \
-dBATCH \
dirty.pdf
lima
It can make things worse: Ghostscript is not particularly safe to run on untrusted/potentially malicious input. It has a giant attack surface and no proper mitigations, unlike the PDF reader in your browser.
At a minimum, you'd have to sandbox it using something like gVisor.
rolandog
Ahh, interesting...
How would you structure your workflow to protect from potentially malicious PDFs?
I had originally thought of setting up an inotifywait watcher that would look for downloaded PDFs to swap downloaded files (while leaving a *_with-risky-active-contents.pdf copy).
After thinking for a bit about your comment, I thought about creating a .desktop file that first cleans the PDF via `docker run --runtime=runsc -it ubuntu gs ...` that then proceeds to launch the viewer, and is associated as the main reader of PDF documents...
But now I am wondering if this should be integrated into clamav and other antivirus clients (and unblocking on a case-by-case basis).
anthk
GhostScript has -dSAFER as default since decades. If any, you can always use pdf2djvu to convert that PDF into a DJVU file. On the PDF in your browser... if it runs JS, you can get p0wned twice, even if it's sandboxes. Vuls in browsers are like segfaults with dubious codecs.
surrTurr
Who the hell keeps making those? First I saw Tetris, now a whole OS. Awesome!
aa-jv
The Reverend Pastor Manul Laphroaig at Alchemist Owl is responsible for a lot of this madness:
https://www.alchemistowl.org/pocorgtfo/
I confess to having become a fan long, long ago ..
zero_k
PoC||GTFO is a great magazine :) Yay to Travis Goodspeed! Sorry, I wanted to say Pastor Laphroaig. Just don't get him started on his Tennessee buck belt :D
beretguy
Linux in browser existed for a while. And if PDF can run JS then just put "Linux.js" in PDF. JS opens up a whole can of worms.
spwa4
About time someone gets a somewhat intelligent LLM working in js too (I know it can be done now, but like the linux js, there's a very large difference between what existed and what is practical)
Doesn't work, the document is unresponsive. I used a HP DeskJet 2820e Printer btw.