RFC / Call for testing: ghostscript
Hi,
There is a vulnerability in ghostscript that allows maliciously crafted files to
bypass the sandbox and execute arbitrary code:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1729
I would be wary of backporting the fix to our old version of ghostscript as the
code has changed quite a lot and we would need to analyze which operators could
be exploited and there's a risk that we would miss some (see how it took
upstream several attempts to come up with a complete fix for all possible cases).
Debian stretch has updated to the last upstream version that contains a fix (and
updated to newer versions in the past too), so did Ubuntu even back to 14.04,
and SuSE. No update for RedHat 7 yet, but they ship gs 9.07 so it'd be
interesting to see what they do.
For now I have prepared and tested a 9.26a backport to jessie. The diff is huge
but given the above I'm not too wary of shipping this. It's worked for me, both
building some libgs-dev rdeps, and testing libgs to render some PS files. As for
dependencies, it no longer uses Jasper (not supported by upstream anymore) and
uses openjpeg2 instead. There's also a new dependency on libexpat.
I have pushed the updated packages to:
https://people.debian.org/~pochu/lts/ghostscript/
I would appreciate some testing and/or feedback.
Cheers,
Emilio
Reply to: