Hi,

Am 30.01.19 um 13:07 schrieb Emilio Pozuelo Monfort:
[...]
> I would appreciate some testing and/or feedback.

I have done most of the backporting work for the previous
vulnerabilities of Ghostscript. I don't recommend to backport the stable
version to Jessie at the moment but rather to continue to address those
issues with targeted fixes. There is a high risk that
reverse-dependencies will be negatively affected and there were also
regressions in Stretch the security team had to deal with. In case of
ghostscript a complete backport from stable should be the last resort.

The whole sandbox concept of ghostscript appears very fragile and even
upstream seems to struggle to close all the loopholes. We should rather
disable ghostscript handled formats in graphicsmagick and imagemagick by
default as I have previously suggested and let users handle it manually.
[1] We could also invest the time to fix this in unstable first and
learn from the result. [2]

Regards,

Markus

[1] https://lists.debian.org/debian-lts/2018/10/msg00019.html
[2] https://bugs.debian.org/907336

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to