Hi, Cc'in the security-team alias.
On Wed, Oct 07, 2020 at 01:15:23PM -0700, Felix Lechner wrote: > Control: tags -1 + patch > > Hi, > > > Is this because of a ghostscript vulnerability? > > The PDF policy restriction is also in effect on Debian stable even > though that release ships with Ghostscript 9.27, which online sources > suggest is safe. [1] > > Converting images to PDF is a very common functionality. Please > provide a backport with the attached patch, or similar. Thanks! It is actually unlikely for the moment that we will revert the 200-disable-ghostscript-formats.patch patch again, which was firstly included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates in general problems with the ghostscript handled formats, e.g. the (new) CVE-2020-29599, cf. https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html . We follow here only what other distributions have done earlier, I believe SuSE has such and as well Ubuntu, from which the mentioned patch was actually merged in in the last update, TTBOMK. Regards, Salvatore
