Bug#583994: advi: Security bugs in ghostscript

To: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>, 583994@bugs.debian.org
Cc: Paul Szabo <paul.szabo@sydney.edu.au>
Subject: Bug#583994: advi: Security bugs in ghostscript
From: Ralf Treinen <treinen@free.fr>
Date: Thu, 4 Aug 2016 21:37:15 +0200
Message-id: <[🔎] 20160804193715.r4ykycru6dtlw47a@seneca.home.org>
Reply-to: Ralf Treinen <treinen@free.fr>, 583994@bugs.debian.org
In-reply-to: <20160724040045.GA21052@harbard>
References: <20100601010100.15351.3367.reportbug@bari.maths.usyd.edu.au> <20160724040045.GA21052@harbard>

Control: reopen -1

Hi,

On Sun, Jul 24, 2016 at 12:00:45AM -0400, Nicolas Braud-Santoni wrote:
> Control: close -1

I do not agree:

> Given that advi is meant purely for previewing and presenting DVIs,
> it is likely called on trusted inputs.

I had a discussion with upstream about this a long time ago. They seem to
think that the fact that advi has "active" in its name makes it absolutely
clear to anybody that advi has the ability to execute any code. I don't
agree with that, it would be easy to add a line in mailcap to use advi
as a viewer for any *.dvi files. We even have a wishlist bug requesting
this for the advi package. There is no reason to believe that any user
will use advi only on trusted dvi files.

> In any case, I do not think it makes sense to keep around a 6 years old
> security bug.

That is not a reason to close a bug.

The default behaviour of gs has been fixed in debian to use -P, however
this bug against advi should be closed only when one has verified the
options used by advi when it calls gs.

-Ralf.

Reply to:

Prev by Date: ocaml-result_1.2-1_amd64.changes ACCEPTED into unstable, unstable
Next by Date: Processed: Re: Bug#583994: advi: Security bugs in ghostscript
Previous by thread: ocaml-result_1.2-1_amd64.changes ACCEPTED into unstable, unstable
Next by thread: Processed: Re: Bug#583994: advi: Security bugs in ghostscript
Index(es):
- Date
- Thread