Re: Mozilla "PostScript/default" security problems
Hello!
'> As several threads on debian-user and debian-gtk-gnome point out,
'> the only way to fix this in sid is by recompiling the package.
'
' Er-kay. I see, umm, well EXACTLY MY POINT.
Well, nobody in these three or four threads disputed that it could
be fixed by recompiling, or that recompiling (or downloading
third-party debs) was an adequate fix for sid. Neither did
anybody whine about the hard life on the bleeding edge.
This is *only* about Sarge!
' If it has to be that way, then it does. Many packages I want to use are
' either orphaned or up for adoption. the WNPP list is getting insane. If
' I were a true developer instead of a Network/Systems Analyst that will
' program around bugs/difficulties to get the job done, I'd be more than
' happy to work on them.
But this is something completely different. Not only is the maintainer
of Ephy very active (and probably busy behind the scenes to fix things),
Epiphany is not just any program, it is the default browser of Gnome,
tightly integrated and mentioned in the documentation everywhere. If you
rip it out, basically there is a cornerstone of Gnome missing. Of course
you can use other browsers in Gnome, but you won't get the tightly integrated
and polished experience of using Ephy.
And even if you had the time to adopt Ephy (not that I think it is up
for adoption), *you would not be able to fix it, because the problem is
with mozilla*. The Epiphany maintainer can do nothing about it, except
a complete rewrite of Epiphany's printing independent of upstream.
' This I will agree. But, then why use Sid? If you are not willing to bear
' some hard times with Sid, you are not Worthy.
This is not a pissing contest. I do not care if I am worthy. I am not
complaining about Sid either. My problems are with sarge, as it does
not take a rocket sciencist to predict what will happen when Mozilla
1.7 slips into Sarge and this problem is not resolved.
' I can not tell enough people, enough times, that using Sid for daily
' production work can be and at sometimes is extremely painful. If you do
' not know how to workaround/fix these issues... USE STABLE.
Nobody whined, nobody complained about anything related to Sid.
'> Add to this the compatibility problems some people have with
'> the XPrint backend (inferior graphics output, complicated
'> resolution settings, cut-off page borders on some printers)
'> even if they do not use Epiphany or Galeon, but Mozilla or
'> Firefox.
'
' Well now that is just silly beyond compare. I have not had any real
' difficulty making XPrint work as acceptably as any other printing
' alternative.
It is not silly at all.
*I* myself had no problems with it, setting up Xprint for Mozilla (which I
did, because Xprint is necessary for Cyrillic or Arabic printouts).
It is just so -- if you believe it or not -- that Xprint is not a panacea.
E.g. Xprint might not have enough knowledge about the printer hardware
(unlike e.g. gimp-print has) to do the different techniques and
tricks of dithering and head-positioning for high quality inkjets,
as Xprint just does PostScript, PCL and raster AFAIK. Once the page
has passed through Xprint, some valuable information might be lost
for a more hardware-aware driver.
And of course there are the plain bugs that might or might not be
solvable in reasonable time.
' There is another thread is debian-security right now that has disclosed
' the threat and the web-site that offers the advisory.
http://www.imc.org/ietf-822/old-archive1/msg01346.html
Please look at the date. This is ridiculous. And I don't see
why this would be a bug in mozilla, and not in gs. With the
same reasoning exim should be disabled, because e-Mail can be
used to send PostScript files. This has been known for
a *loong* time, and gs has a switch -dSAFER as long as I can
remember. Also it is not clear to me why this would just
be relevant for the direct backend or just the unstable version
of Mozilla. There *must* be more than that.
' It might _not_ *BE* vulnerable in the older code set that Stable uses, I
' am not sure on this one.
Have you actually read this "advisory"?
Or do you mean the statement by Rebecca Greenwald? It actually
gives no specific information or proof. Neither does it differenciate
between versions.
Thanks for listening everybody, I am stepping down from my soapbox now!
/ralph -- sorry for messing up threading, but I am not subscribed and
pick quotes out of the archive.
Reply to: