paul.sz...@sydney.edu.au wrote:
The ghostscript people in
http://bugs.ghostscript.com/show_bug.cgi?id=691339
told me to use the -P- switch, and marked it RESOLVED WONTFIX.
I guess -P- should be the default, as well as -dSAFER should be.
I agree, instead of fixing this in every single
wouldn't it make more sense to solve these issues in the ghostscript
package by itself; rather than 100 different packages.
even if ghostscript won't change their code, debian always has the
option to fix it anyway. that could be done be either applying a
patch that automatically uses the
Further gs issues. The gs scripts mentioned below are in /usr/bin:
bdftops dumphint dvipdf eps2eps font2c gsbj gsdj gsdj500 gslj gslp
gsnd pdf2dsc pdf2ps pdfopt pf2afm pfbtopfa printafm ps2ascii ps2epsi
ps2pdf ps2pdf12 ps2pdf13 ps2pdf14 ps2pdfwr ps2ps ps2ps2 wftopfa
(maybe others?).
The
Should some or all be alerted to the this security issue? So far gv and
libspectre1 only have been alerted (bugs #583316 and #583634).
Yes, please.
Done, all mentioned packages alerted:
http://bugs.debian.org/584039 a2ps
http://bugs.debian.org/583994 advi
http://bugs.debian.org/583995
tags 583183 help
thanks
On Mon, May 31, 2010 at 01:36:00PM +1000, paul.sz...@sydney.edu.au wrote:
Seems to me that the following packages depend on ghostscript:
advi advi-examples asymptote bmv c2050 capisuite courier-faxmail cups
cups-pdf epix1 epstool fbi fig2ps flpsed gv hevea hpijs
Seems to me that the following packages depend on ghostscript:
advi advi-examples asymptote bmv c2050 capisuite courier-faxmail cups
cups-pdf epix1 epstool fbi fig2ps flpsed gv hevea hpijs hylafax-client
hylafax-server hyperlatex ifhp ijsgutenprint kghostview latex-make
libgs-dev
I guess this issue can be exploited remotely.
If /etc/mailcap uses gs, then we are done: neither -P- nor -dSAFER are
defaults.
My Debian /etc/mailcap uses gv, and gv knows to use -dSAFER. First
feed the victim a bad PS file named gs_res.ps or pdf_base.ps or
similar. No harm done yet. Then feed
The ghostscript people in
http://bugs.ghostscript.com/show_bug.cgi?id=691339
told me to use the -P- switch, and marked it RESOLVED WONTFIX.
I guess -P- should be the default, as well as -dSAFER should be.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
Package: ghostscript
Version: 8.62.dfsg.1-3.2lenny1
Severity: grave
File: /usr/bin/gs
Tags: security
Justification: user security hole
Please see
http://bugs.ghostscript.com/show_bug.cgi?id=691339
for details, quoted below for completeness.
I am not convinced that my security wrapper protects
9 matches
Mail list logo
