Bug#840691: libgs9: security update DSA-3691-1 breaks zathura, evince, ... in jessie
On Mon, 17 Oct 2016 06:52:25 +0200 Salvatore Bonaccorso wrote: [...] > Only a small status update. I worked on the very same patches for > ghostscript as well for the unstable version, to confirm I did not any > significant mistake in the backports. The problem starts there as well > once the patches are applied, and I suspect it actually might have > uncovered a bug in a library which is used by evince and zathura(-ps), > libspectre came to my mind. So, if I understand correctly, the same bug would appear in Debian unstable, with the security patches applied. Hence, finding a fix is even more important. > > We go no reports for other clients so far, not using that. > > If you want to give the packages as well for unstable a try, I have > uploaded to https://people.debian.org/~carnil/tmp/ghostscript/ . I hope other people will find the time to test the packages. I am unfortunately swamped: I won't be able to follow the debugging closely. :-( [...] > Stay tuned, and any debugging help welcome. Many thanks for the update. Looking forward to seeing the issue solved for the best. Thanks a lot for your time! -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpUTN9zplCZL.pgp Description: PGP signature
Bug#840691: libgs9: security update DSA-3691-1 breaks zathura, evince, ... in jessie
Hi Francesco, On Fri, Oct 14, 2016 at 10:56:57PM +0200, Francesco Poli wrote: > On Fri, 14 Oct 2016 06:47:47 +0200 Salvatore Bonaccorso wrote: > > [...] > > Hi Francesco, > > Hello Salvatore, thanks for your fast reply! > > > > > On Thu, Oct 13, 2016 at 11:56:22PM +0200, Francesco Poli (wintermute) wrote: > [...] > > > After the security update: > [...] > > > I was unable to use zathura or evince > [...] > > > > This was indeed not spotted in my testing of the update for the DSA. > > The blame for this should solely go to myself (not the team). We > > should find the cause asap and find a fix. I can reproduce it with > > evince. > > It's a relief that you are able to reproduce the bug (at least, I was > not seeing "ghosts"...). > > I hope that a fix may be found and applied soon. Only a small status update. I worked on the very same patches for ghostscript as well for the unstable version, to confirm I did not any significant mistake in the backports. The problem starts there as well once the patches are applied, and I suspect it actually might have uncovered a bug in a library which is used by evince and zathura(-ps), libspectre came to my mind. We go no reports for other clients so far, not using that. If you want to give the packages as well for unstable a try, I have uploaded to https://people.debian.org/~carnil/tmp/ghostscript/ . Looking at the bugs for src:libspectre indeed there is a long list of failure reports with some PostScript files not failing with other viewers/readers :-/ The above though is not yet confirmed. Stay tuned, and any debugging help welcome. Regards, Salvatore
Bug#840691: libgs9: security update DSA-3691-1 breaks zathura, evince, ... in jessie
On Fri, 14 Oct 2016 06:47:47 +0200 Salvatore Bonaccorso wrote: [...] > Hi Francesco, Hello Salvatore, thanks for your fast reply! > > On Thu, Oct 13, 2016 at 11:56:22PM +0200, Francesco Poli (wintermute) wrote: [...] > > After the security update: [...] > > I was unable to use zathura or evince [...] > > This was indeed not spotted in my testing of the update for the DSA. > The blame for this should solely go to myself (not the team). We > should find the cause asap and find a fix. I can reproduce it with > evince. It's a relief that you are able to reproduce the bug (at least, I was not seeing "ghosts"...). I hope that a fix may be found and applied soon. P.S.: Thanks for all the good job on the many security updates that have been issued for a long time! -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpx79gr2IyJQ.pgp Description: PGP signature
Bug#840691: libgs9: security update DSA-3691-1 breaks zathura, evince, ... in jessie
Control: affects -1 security.debian.org Control: tags -1 + help Hi Francesco, On Thu, Oct 13, 2016 at 11:56:22PM +0200, Francesco Poli (wintermute) wrote: > Package: libgs9 > Version: 9.06~dfsg-2+deb8u3 > Severity: grave > Tags: security > Justification: renders package unusable > > Hello! > > I had a bad surprise today in jessie. > After the security update: > > [UPGRADE] libgs9:amd64 9.06~dfsg-2+deb8u1 -> 9.06~dfsg-2+deb8u3 > [UPGRADE] libgs9-common:amd64 9.06~dfsg-2+deb8u1 -> 9.06~dfsg-2+deb8u3 > > I was unable to use zathura or evince (maybe other PS viewers are > affected): > > $ zathura foo.eps > warning: Failed to loads bookmarks. > invalidaccess -7 > error: Rendering failed (page 1) > $ evince foo.eps > invalidaccess -7 > invalidaccess -7 > Segmentation fault > > After downgrading back to libgs9/9.06~dfsg-2+deb8u1 and > libgs9-common/9.06~dfsg-2+deb8u1, everything is back to normal > and the two PS viewers work again. > > What went wrong? > If this is indeed a regression (as it seems to be), please fix it > as soon as possible! This was indeed not spotted in my testing of the update for the DSA. The blame for this should solely go to myself (not the team). We should find the cause asap and find a fix. I can reproduce it with evince. Regards, Salvatore
Processed: Re: Bug#840691: libgs9: security update DSA-3691-1 breaks zathura, evince, ... in jessie
Processing control commands: > affects -1 security.debian.org Bug #840691 [libgs9] libgs9: security update DSA-3691-1 breaks zathura, evince, ... in jessie Added indication that 840691 affects security.debian.org > tags -1 + help Bug #840691 [libgs9] libgs9: security update DSA-3691-1 breaks zathura, evince, ... in jessie Added tag(s) help. -- 840691: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840691 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#840691: libgs9: security update DSA-3691-1 breaks zathura, evince, ... in jessie
Package: libgs9 Version: 9.06~dfsg-2+deb8u3 Severity: grave Tags: security Justification: renders package unusable Hello! I had a bad surprise today in jessie. After the security update: [UPGRADE] libgs9:amd64 9.06~dfsg-2+deb8u1 -> 9.06~dfsg-2+deb8u3 [UPGRADE] libgs9-common:amd64 9.06~dfsg-2+deb8u1 -> 9.06~dfsg-2+deb8u3 I was unable to use zathura or evince (maybe other PS viewers are affected): $ zathura foo.eps warning: Failed to loads bookmarks. invalidaccess -7 error: Rendering failed (page 1) $ evince foo.eps invalidaccess -7 invalidaccess -7 Segmentation fault After downgrading back to libgs9/9.06~dfsg-2+deb8u1 and libgs9-common/9.06~dfsg-2+deb8u1, everything is back to normal and the two PS viewers work again. What went wrong? If this is indeed a regression (as it seems to be), please fix it as soon as possible! Thanks for your time. -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/20 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libgs9 depends on: ii libc6 2.19-18+deb8u6 ii libcups21.7.5-11+deb8u1 ii libcupsimage2 1.7.5-11+deb8u1 ii libfontconfig1 2.11.0-6.3+deb8u1 ii libfreetype62.5.2-3+deb8u1 ii libgs9-common 9.06~dfsg-2+deb8u3 ii libidn111.29-1+deb8u2 ii libijs-0.35 0.35-10 ii libjasper1 1.900.1-debian1-2.4+deb8u1 ii libjbig2dec00.11+20120125-1 ii libjpeg62-turbo 1:1.3.1-12 ii liblcms2-2 2.6-3+b3 ii libpaper1 1.1.24+nmu4 ii libpng12-0 1.2.50-2+deb8u2 ii libtiff54.0.3-12.3+deb8u1 ii poppler-data [gs-cjk-resource] 0.4.7-1 ii zlib1g 1:1.2.8.dfsg-2+b1 libgs9 recommends no packages. libgs9 suggests no packages. -- no debconf information