On 2023-05-07 Adam Thompson wrote:
PDFs have been known to contain malicious payloads. However, if your software is up to date (patched), and you don't click on anything in the PDF, then printing it should be a low risk activity.
PDFs are still a very popular virus vector. But they are mostly attacking older Adobe Reader on Windows. So in that sense you're already much safer on linux (assuming that's what you're talking about) because a) the specific obscure linux viewer / pdf library isn't a popular target, and b) linux itself isn't a popular target of these types of attack. The attack would have to trigger some sec flaw in the reader and then also use that flaw to execute linux-compatible code. The odds of these together is quite small.
You *can* directly print a PDF (say from the command line) on linux, and at that time it'll go through cups / ghostscript to render the PDF into a raster, or into PS/PCL. So even doing it "without a reader/viewer" can be subject to attack. (Because in this case there is a reader/viewer (ghostscript), it's just hidden from you.)
The only downside to linux for PDFs is, while they aren't popular vectors, their pdf viewers (all mostly obscure hobby projects) also receive less sec reviews and updates. And I bet they mostly share just 1 or 2 base pdf libraries, and the same may apply to them.
A safe option would be to open the pdf in a throwaway VM or in (my favorite) a firejail instance. You could use a heavily-locked down firejail to use pdftoppm to sanitize the pdf into a raster-only format that you can then 100% safely view and manipulate outside the jail with your normal tools.
P.S. I would never open a PDF I didn't somewhat trust on Windbloze. I would open most PDFs that didn't come from shady-looking sources in linux viewers. If it was from a very shady source I'd use the firejail trick. You're right to be suspicious; always be suspicious!! But don't let it stop you from getting things done.