Bug#583994: advi: Security bugs in ghostscript
Control: reopen -1 Hi, On Sun, Jul 24, 2016 at 12:00:45AM -0400, Nicolas Braud-Santoni wrote: > Control: close -1 I do not agree: > Given that advi is meant purely for previewing and presenting DVIs, > it is likely called on trusted inputs. I had a discussion with upstream about this a long time ago. They seem to think that the fact that advi has "active" in its name makes it absolutely clear to anybody that advi has the ability to execute any code. I don't agree with that, it would be easy to add a line in mailcap to use advi as a viewer for any *.dvi files. We even have a wishlist bug requesting this for the advi package. There is no reason to believe that any user will use advi only on trusted dvi files. > In any case, I do not think it makes sense to keep around a 6 years old > security bug. That is not a reason to close a bug. The default behaviour of gs has been fixed in debian to use -P, however this bug against advi should be closed only when one has verified the options used by advi when it calls gs. -Ralf.
Bug#583994: advi: Security bugs in ghostscript
Control: close -1 Hi, Given that advi is meant purely for previewing and presenting DVIs, it is likely called on trusted inputs. In any case, I do not think it makes sense to keep around a 6 years old security bug. Best, nicoo On Tue, Jun 01, 2010 at 11:01:00AM +1000, Paul Szabo wrote: > Package: advi > Severity: grave > Tags: security > Justification: user security hole > > > Please note remote execute-any-code security bugs in ghostscript: > > http://bugs.debian.org/583183 > > This package depends on ghostscript, and may be affected. Please > evaluate the security of this package, and fix if needed. > > Thanks, > > Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of SydneyAustralia signature.asc Description: PGP signature
Bug#583994: advi: Security bugs in ghostscript
Package: advi Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package depends on ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages advi depends on: ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libfreetype6 2.3.7-2+lenny1FreeType 2 font engine, shared lib ii libjpeg62 6b-14 The Independent JPEG Group's JPEG pn libpng2none(no description available) pn libtiff3g none(no description available) ii libungif4g 4.1.6-6 library for GIF images (transition pn xlibs none(no description available) ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime advi recommends no packages. advi suggests no packages. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org