Re: Bug#840691: ghostscript and evince/libspectre problem

To: Moritz Muehlenhoff <jmm@inutil.org>, 840691@bugs.debian.org, Debian Security Team <team@security.debian.org>, debian-lts@lists.debian.org
Subject: Re: Bug#840691: ghostscript and evince/libspectre problem
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Oct 2016 12:53:56 +0200
Message-id: <[🔎] 20161027105356.GA27238@lorien.valinor.li>
Mail-followup-to: Moritz Muehlenhoff <jmm@inutil.org>, 840691@bugs.debian.org, Debian Security Team <team@security.debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20161027104012.GG14240@miami.connexer.com>
References: <[🔎] 20161025195401.ha6xrmrewgphvi6l@eldamar.local> <[🔎] 20161027030954.GC14240@miami.connexer.com> <[🔎] 20161027065439.GA6772@inutil.org> <[🔎] 20161027103143.GF14240@miami.connexer.com> <[🔎] 20161027103516.GA12383@inutil.org> <[🔎] 20161027104012.GG14240@miami.connexer.com>

Hi

On Thu, Oct 27, 2016 at 06:40:12AM -0400, Roberto C. Sánchez wrote:
> On Thu, Oct 27, 2016 at 12:35:16PM +0200, Moritz Muehlenhoff wrote:
> > On Thu, Oct 27, 2016 at 06:31:43AM -0400, Roberto C. Sánchez wrote:
> > > On Thu, Oct 27, 2016 at 08:54:39AM +0200, Moritz Muehlenhoff wrote:
> > > > 
> > > > Salvatore mentioned that the same bug occurs when unstable has the security 
> > > > patches merged (which hasn't happened so far :-/), so this needs to be reported
> > > > upstream.
> > > > 
> > > Would that be to ghostscript upstream?  I guess that with seeing the
> > > evince problem in Jessie with both ghostscript 9.06~dfsg-2+deb8u2 and
> > > 9.06~dfsg-2+deb8u3 I wasn't certain that the fault is completely with
> > > ghostscript.
> > 
> > I haven't debugged this myself, but my guess is that libspectre relies/relied
> > on the insecure ghostscript behaviour which got patches with the security
> > fixes...
> > 
> OK.  That makes sense.  Thanks for clarifying.

Edgar Fuss has now posted where the bug actually seem to be. I'm
currently building ghostscript with that.

@Roberto: note, +deb8u1 -> +deb8u3 to see the regression, not the
intermittent +deb8u2.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Bug#840691: ghostscript and evince/libspectre problem
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Bug#840691: ghostscript and evince/libspectre problem
  - From: Roberto C. Sánchez <roberto@connexer.com>

References:
- ghostscript and evince/libspectre problem
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: ghostscript and evince/libspectre problem
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: ghostscript and evince/libspectre problem
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Bug#840691: ghostscript and evince/libspectre problem
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: Bug#840691: ghostscript and evince/libspectre problem
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Bug#840691: ghostscript and evince/libspectre problem
  - From: Roberto C. Sánchez <roberto@connexer.com>

Prev by Date: Re: tre package ready for testing
Next by Date: Re: Bug#840691: ghostscript and evince/libspectre problem
Previous by thread: Re: Bug#840691: ghostscript and evince/libspectre problem
Next by thread: Re: Bug#840691: ghostscript and evince/libspectre problem
Index(es):
- Date
- Thread