BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.bsidescbr.com.au//bsides-canberra-2026//speaker//CGG
 LLV
BEGIN:VTIMEZONE
TZID:AEST
BEGIN:STANDARD
DTSTART:20000326T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3;UNTIL=20050326T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20060402T040000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060401T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20070325T040000
RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=3;UNTIL=20070324T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20080406T040000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000827T030000
RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=8;UNTIL=20000826T170000Z
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20011028T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20071027T170000Z
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20081005T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=10
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-bsides-canberra-2026-KHLBMX@cfp.bsidescbr.com.au
DTSTART;TZID=AEST:20260925T120000
DTEND;TZID=AEST:20260925T122500
DESCRIPTION:Ghostscript is one of the most ubiquitous PostScript interprete
 rs in the world. Even if you never run it directly\, your systems probably
  do: rendering thumbnails\, converting documents\, previewing uploads\, or
  handling images that quietly become PostScript somewhere along the way.\n
 \nGhostscript is also a C codebase with roots in the late 1980s\, which me
 ans there is still plenty of room for memory corruption when parsing untru
 sted input.\n\nIn this talk\, we will walk through two heap corruption bug
 s we discovered in Ghostscript and show how we turned them into reliable m
 emory read/write primitives callable from PostScript. Rather than relying 
 on fixed offsets\, the exploit uses those primitives to scan Ghostscript
 ’s address space at runtime\, locate the internal structures needed for 
 the attack\, and construct a data-only sandbox escape from PARANOIDSAFER t
 hat works across multiple versions and builds.\n\nWe will then zoom out an
 d look at where this kind of bug can actually be exploited. Thumbnailers\,
  ImageMagick\, LibreOffice\, web applications\, and document-processing pi
 pelines all have different file formats and integration points\, but the s
 ink is often the same PostScript interpreter.
DTSTAMP:20260715T191626Z
LOCATION:Main Track
SUMMARY:Chasing Shadows: Portable Memory Corruption in Ghostscript - Rick d
 e Jager
URL:https://cfp.bsidescbr.com.au/bsides-canberra-2026/talk/KHLBMX/
END:VEVENT
END:VCALENDAR
