Re: RFC / Call for testing: ghostscript
On Wed, Jan 30, 2019 at 03:02:53PM +0100, Markus Koschany wrote:
> The truth is the -dSafer option gives a false sense of security even in
> the latest release and we will probably continue to see more of those
> issues.
Obviously, any deployment which processes documents should use additional
hardening, e.g. running ghostscript in firejail, but we still need to fix
these.
> The version in Jessie is more than seven years old already, so
> you have to carefully weigh the usefulness of backporting the latest
> stable release and the risk of breaking reverse-dependencies. The
> targeted approach worked well so far and all known vulnerabilities were
> addressed. The Jessie version is not any less secure than the version in
> Stretch and the codebase is very different.
No systematic triage has happened for older GS versions and given the rate
of findings by taviso there're bound to be issues which were fixed in
the past, but didn't get a CVE assigned. We need to look at the big picture
here.
> The point was you had to deal with regressions but the original version
> in Stretch was much more recent than the one in Jessie. You cannot rule
> out this will be the only functional change for Jessie users.
The API hasn't changed between jessie and the current 9.26 versions in
stretch, I don't expect any real issues. Ubuntu also rebased 14.04/trusty
to 9.26.
Cheers,
Moritz
Reply to: