Re: Bug#840691: ghostscript and evince/libspectre problem
On Thu, Oct 27, 2016 at 06:40:12AM -0400, Roberto C. Sánchez wrote:
> On Thu, Oct 27, 2016 at 12:35:16PM +0200, Moritz Muehlenhoff wrote:
> > On Thu, Oct 27, 2016 at 06:31:43AM -0400, Roberto C. Sánchez wrote:
> > > On Thu, Oct 27, 2016 at 08:54:39AM +0200, Moritz Muehlenhoff wrote:
> > > >
> > > > Salvatore mentioned that the same bug occurs when unstable has the security
> > > > patches merged (which hasn't happened so far :-/), so this needs to be reported
> > > > upstream.
> > > >
> > > Would that be to ghostscript upstream? I guess that with seeing the
> > > evince problem in Jessie with both ghostscript 9.06~dfsg-2+deb8u2 and
> > > 9.06~dfsg-2+deb8u3 I wasn't certain that the fault is completely with
> > > ghostscript.
> > I haven't debugged this myself, but my guess is that libspectre relies/relied
> > on the insecure ghostscript behaviour which got patches with the security
> > fixes...
> OK. That makes sense. Thanks for clarifying.
Edgar Fuss has now posted where the bug actually seem to be. I'm
currently building ghostscript with that.
@Roberto: note, +deb8u1 -> +deb8u3 to see the regression, not the