Re: Bug#584013: hyperlatex: Security bugs in ghostscript
Hi,
On 01/06/2010 10:31, Roland Stigge wrote:
> Hi,
>
> On 06/01/2010 03:10 AM, Paul Szabo wrote:
>> This package depends on ghostscript, and may be affected. Please
>> evaluate the security of this package, and fix if needed.
>
> There are several issues with this bug:
>
> (1) If ghostscript has a bug, maybe it should be fixed there instead of
> in all gs dependant packages?
>
> (2) Mass bug filing (esp. RC/security) is generally not a great idea,
> especially if
>
> (3) You haven't checked the individual packages ("This package depends
> on ghostscript, and may be affected").
>
> (4) Please state clearly what's wrong with the package (hyperlatex in
> this case). From the other bug reports I deduce that gs calls should be
> extended with "-P- -dSAFER". This should be done in the hyperlatex
> source package in bin/ps2image, for the record.
I agree on all points of this mail (replace "hyperlatex" by
"latex-make" in my case).
I'm closing the bug for latex-make unless you come back with facts (or
that discussion on d-d agreeds that all package using gs must be changed).
I'm latex-make upstream, too. And I think that I depend on gs-common due
to calls to ps2ps/ps2pdf/... latex-make does not call gs directly.
Please, take care when filling such amount of bugs with such severity
just before a release.
Regards,
Vincent
Reply to: