Hacker News: ThomasRinsma

Spoofing OpenPGP.js signature verification

ThomasRinsma — Tue, 10 Jun 2025 13:58:30 +0000

Article URL: https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/

Comments URL: https://news.ycombinator.com/item?id=44236891

Points: 97

# Comments: 30

New comment by ThomasRinsma in "Show HN: Doom (1993) in a PDF"

ThomasRinsma — Mon, 13 Jan 2025 06:57:34 +0000

Author of "PDF Tetris" here.

Great work! We had the same idea at the same time, here's my version of PDF Doom:

Source: https://github.com/thomasRinsma/pdfdoom

Playable here: https://th0mas.nl/downloads/doom.pdf

Yours is neater in many ways though!

New comment by ThomasRinsma in "Show HN: Tetris in a PDF"

ThomasRinsma — Thu, 09 Jan 2025 18:35:43 +0000

Oops, yeah :)

New comment by ThomasRinsma in "Show HN: Tetris in a PDF"

ThomasRinsma — Thu, 09 Jan 2025 16:31:05 +0000

I barely looked at Adobe Reader so not sure about that one, it definitely does not work with this PDF though, likely because it's not compliant in several ways. Besides that I wouldn't be surprised if it supports all the required JS APIs and more, just possibly behind some permission prompts.

It might work in Foxit as I believe it supports some scripting. Most of the other native PDF renderers are more static, as far as I know. In either case, I was most interested in the browser-native engines, as I always thought of them as more "static"/limited.

As for documentation on specific features: to be honest, I just looked at the implementations of PDF.js and PDFium. Both only support a subset of the "standard" API, likely for security reasons. But PDF.js for example allows changing a field's background color (colored pixels!), and PDFium allows modifying their position/bounding box (I tried a high res color display by moving a row vertically as if it's a scanline, but things become quite laggy).

Show HN: Tetris in a PDF

ThomasRinsma — Thu, 09 Jan 2025 13:31:33 +0000

I realized that the PDF engines of modern desktop browsers (PDFium and PDF.js) support JavaScript with enough I/O primitives to make a basic game like Tetris.

It was a bit tricky to find a union of features that work in both engines, but in the end it turns out that showing/hiding annotation "fields" works well to make monochrome pixels, and keyboard input can be achieved by typing in a text input box.

All in all it's quite janky but a nice reminder of how general purpose PDF scripting can be. The linked PDF is all ASCII so you can just open it in a text editor, or have a look at the source code here: https://github.com/ThomasRinsma/pdftris/blob/main/gengrid.py

Comments URL: https://news.ycombinator.com/item?id=42645218

Points: 1289

# Comments: 223

CVE-2024-29510 – Exploiting Ghostscript using format strings

ThomasRinsma — Tue, 02 Jul 2024 14:31:49 +0000

Article URL: https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/

Comments URL: https://news.ycombinator.com/item?id=40857073

Points: 41

# Comments: 9

New comment by ThomasRinsma in "CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js"

ThomasRinsma — Mon, 20 May 2024 15:53:39 +0000

Original author here. This is indeed a bit confusing.

You are right for the case where Firefox's PDF.js is used (local or remote file in a tab or iframe). The XSS problem however is with web-applications that themselves use PDF.js. In that case, it does not run in a separate or special origin; that is a Firefox thing.

You are also right that the PDF format supports JavaScript, but that is something unrelated to this, and indeed highly sandboxed in all cases.