Re: DLA-1792-1/ghostscript and cups-filters
On Sun, May 19, 2019 at 04:28:19PM -0400, Roberto C. Sánchez wrote:
> Hi Salvatore,
>
> On Sun, May 19, 2019 at 10:23:14PM +0200, Salvatore Bonaccorso wrote:
> > Hi Roberto
> >
> > With the update of ghostscript in DLA 1792-1 for ghostscript pdfdict
> > is hidden for the fix for CVE-2019-3839.
> >
> > cups-filters used though this undocumented internal, so with the
> > ghostscript update cups-filter will experience a functional
> > regression.
> >
> > In unstable cups-filter was fixed shortly after the 9.27 update, for
> > stable we issued a corresponding update for cups-filters following the
> > ghostscript update as
> > https://lists.debian.org/debian-security-announce/2019/msg00087.html .
> >
> > Thus I think you will need to issue same update for cups-filters as
> > well for jessie to not use pdfdict but rather runpdfbegin. This way
> > cups-filters will work both with a fixed and unfixed ghostscript.
> >
> > Please though double-check.
> >
> Thanks for letting me know. I will have a look as you suggest.
>
The cups-filter code is identical in stretch and jessie. The patch
added for cups-filter 1.11.6-3+deb9u1 applies with no offset or fuzz.
Based on that, I am preparing an update for cups-filter in jessie.
Thanks again for alerting me to this issue so that I can get an update
published in a timely fashion.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: