Hi, > On Sun, Aug 01, 2004 at 05:07:52AM +0200, Florian Zumbiehl wrote: > > Certainly, a genuine security vulnerability should be release-critical. We > must not release software with known security vulnerabilities.
Seems to make sense =:-) > It sounds like the upstream author may have misunderstood your report, which > led to further misunderstanding on the part of the Debian maintainer. Yep, but that's why I explained it in the followup mail, also archives in the BTS: | "File operations" refers to the postscript program that is executed by | ghostscript here. Something along the lines of -dSAFER is needed to | make this safe, however I'm not sure as to which options are needed. | Maybe, it can't be made safe at all if gs is run as root. !? [longer explanation of the problems with the invocation of gs by cups-pdf] Do you possibly know whether -dSAFER is sufficient? Or does that still allow arbitrary files to be read or anything else that a normal user should not be able to do with root privileges? > Also, there seems to be some confusion about the symlink attack (#259933), > specifically where the output is actually written. I don't know anything > about cups-pdf, so I don't know who is correct here. The source code isn't that complex, if you wanna have a look ;-) The output is written to ~/cups-pdf, which is created automatically if it doesn't exist already, currently world-writeable, IIRC. As we are on debian-qa: Even if this was not a security problem, this IMO should have been made sure previous to degrading the bug and it should have been mentioned in the mail instructing the BTS to change the severity!? > At least the gs issue seems like a genuine concern and justifies Severity: > grave, so I have changed the severity of that bug. cups-pdf should not be > released with sarge unless that bug is fixed. Yep, that's the most obvious one, indeed. How about splitting off the purely security-related part of this thread to debian-security, as suggested by Frank? Cya, Florian
