On Wed, Jan 30, 2019 at 01:24:40PM +0100, Markus Koschany wrote:
> Hi,
>
> Am 30.01.19 um 13:07 schrieb Emilio Pozuelo Monfort:
> [...]
> > I would appreciate some testing and/or feedback.
>
> I have done most of the backporting work for the previous
> vulnerabilities of Ghostscript. I don't recommend to backport the stable
> version to Jessie at the moment but rather to continue to address those
> issues with targeted fixes.
I disagree, rebasing to the latest release is the only sensible approach
(and I would have advised it already for the previous DLAs). While a number
of CVEs have been assigned over time, I strongly doubt they're exhaustive
and there were cases where CVE IDs had been assigned for bugs which had been
fixed as regular bugs and only got a CVE ID when taviso diagnosed the security
impact in hindsight. There's a reason DSA-4336-1 rebased to 9.25 after
DSA-4294-1 had already shipped a significant number of backports.
> There is a high risk that
> reverse-dependencies will be negatively affected and there were also
> regressions in Stretch the security team had to deal with.
The regression fixed in DSA-4346-2 was a functional change within the newer
upstream release (i.e. it also affected sid) and it's fixed now, so that's
moot for jessie.
> The whole sandbox concept of ghostscript appears very fragile and even
> upstream seems to struggle to close all the loopholes. We should rather
> disable ghostscript handled formats in graphicsmagick and imagemagick by
> default as I have previously suggested and let users handle it manually.
That is a solid plan on itself, but does not help for all legitimate cases
where ghostscript is invoked on untrusted content without any involvement
of the magicks. To properly fix that (to the extent of currently known
vulnerabilities) this still needs a rebase to 9.26a.
> [1] We could also invest the time to fix this in unstable first and
> learn from the result. [2]
Ack, it would be nice if this could land in time for buster.
Cheers,
Moritz
