Control: reopen -1 Hi,
On Sun, Jul 24, 2016 at 12:00:45AM -0400, Nicolas Braud-Santoni wrote: > Control: close -1 I do not agree: > Given that advi is meant purely for previewing and presenting DVIs, > it is likely called on trusted inputs. I had a discussion with upstream about this a long time ago. They seem to think that the fact that advi has "active" in its name makes it absolutely clear to anybody that advi has the ability to execute any code. I don't agree with that, it would be easy to add a line in mailcap to use advi as a viewer for any *.dvi files. We even have a wishlist bug requesting this for the advi package. There is no reason to believe that any user will use advi only on trusted dvi files. > In any case, I do not think it makes sense to keep around a 6 years old > security bug. That is not a reason to close a bug. The default behaviour of gs has been fixed in debian to use -P, however this bug against advi should be closed only when one has verified the options used by advi when it calls gs. -Ralf.