[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#584015: ijsgutenprint: Security bugs in ghostscript

On Tue, Jun 01, 2010 at 11:11:19AM +1000, Paul Szabo wrote:
> Package: ijsgutenprint
> Severity: grave
> Tags: security
> Justification: user security hole
> Please note remote execute-any-code security bugs in ghostscript:
>   http://bugs.debian.org/583183
> This package depends on ghostscript, and may be affected. Please
> evaluate the security of this package, and fix if needed.

ijsgutenprint is a ghostscript IJS server driver.  It's invoked
/by/ ghostscript, so is not itself responsible for running
ghostscript.  One potential source of vulnerabilities is
actually in glue scripts such as Foomatic, so I think probably
should be reassigned to foomatic-db-gutenprint.  Note that
most/all of Foomatic and ancillary data packages such
as foomatic-db-gutenprint are packages you should probably
look at.

Have you considered a whole-archive search for e.g. -dSAFER in
the lintian lab?  If a program is using -dSAFER, it should also
be using -P- in all likelihood.  It's probably better than
simply going off package dependencies.


  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: signature.asc
Description: Digital signature

Reply to: