RFC / Call for testing: ghostscript

To: Debian LTS <debian-lts@lists.debian.org>
Subject: RFC / Call for testing: ghostscript
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed, 30 Jan 2019 13:07:44 +0100
Message-id: <[🔎] f2a3ebb5-41e5-a340-7dcc-234871a0bbe6@debian.org>

Hi,

There is a vulnerability in ghostscript that allows maliciously crafted files to
bypass the sandbox and execute arbitrary code:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1729

I would be wary of backporting the fix to our old version of ghostscript as the
code has changed quite a lot and we would need to analyze which operators could
be exploited and there's a risk that we would miss some (see how it took
upstream several attempts to come up with a complete fix for all possible cases).

Debian stretch has updated to the last upstream version that contains a fix (and
updated to newer versions in the past too), so did Ubuntu even back to 14.04,
and SuSE. No update for RedHat 7 yet, but they ship gs 9.07 so it'd be
interesting to see what they do.

For now I have prepared and tested a 9.26a backport to jessie. The diff is huge
but given the above I'm not too wary of shipping this. It's worked for me, both
building some libgs-dev rdeps, and testing libgs to render some PS files. As for
dependencies, it no longer uses Jasper (not supported by upstream anymore) and
uses openjpeg2 instead. There's also a new dependency on libexpat.

I have pushed the updated packages to:

https://people.debian.org/~pochu/lts/ghostscript/

I would appreciate some testing and/or feedback.

Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: RFC / Call for testing: ghostscript
  - From: Markus Koschany <apo@debian.org>

Prev by Date: HEADS UP: enigmail to be EOL'd by the end of week
Next by Date: Re: RFC / Call for testing: ghostscript
Previous by thread: January Report
Next by thread: Re: RFC / Call for testing: ghostscript
Index(es):
- Date
- Thread