tags 895513 + confirmed wontfix
thanks
Thanks for reporting. The developers of Ghostscript have actually withdrawn
from removing the support for DELAYBIND and WRITESYSTEMDICT already in
November [1], and I have tested pstotext seems to work with Ghostscript 9.23
released in March [2], so the only problem seems to be with Ghostscript
version 9.22.
But it really worries me that we are talking about possible security issues in
software with no upstream activity for years. Not using SAFER when calling
Ghostscript has been considered security issue in Debian [3][4] and the
initiative to remove DELAYBIND and WRITESYSTEMDICT seems to be motivated by
the fact these options actually circumvent the SAFER.
While I could make a new package version requiring Ghostscript version at
least 9.23, I believe time has come to let the package go. Ghostscript
developers published a warning which probably should not be just ignored, it
should trigger a security audit checking the correct usage of DELAYBIND and
WRITESYSTEMDICT in pstotext. That's something I cannot do, I do not have the
knowledge and ambition to make up for the missing upstream - I am not an
experienced PostScript programmer.
Jan Jeroným Zvánovec
[1]
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fa499a5809aab45b2891b5c8b2363d1bca890757
[2] https://www.ghostscript.com/doc/9.23/News.htm
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319758
[4] https://people.debian.org/~koster/www/security/2005/dsa-792
--
Jan Jeroným Zvánovec, j...@zvano.net
Jabber: janjero...@jabber.cz
-- -- -- -- -- -- -- -- -- -- -- -- -- -- --
