[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#584015: ijsgutenprint: Security bugs in ghostscript

Dear Roger,

> ijsgutenprint is a ghostscript IJS server driver.  It's invoked
> /by/ ghostscript, so is not itself responsible for running
> ghostscript.  One potential source of vulnerabilities is
> actually in glue scripts such as Foomatic, so I think probably
> should be reassigned to foomatic-db-gutenprint.  Note that
> most/all of Foomatic and ancillary data packages such
> as foomatic-db-gutenprint are packages you should probably
> look at.

Speaking to the printconf maintainer in
http://bugs.debian.org/584026
he said that foomatic-filters is only affected. Maybe he knows, he is
also the foomatic maintainer...

> Have you considered a whole-archive search for e.g. -dSAFER in
> the lintian lab? ...

Sorry, do not know how to do that search. Can you explain?

> ... If a program is using -dSAFER, it should also
> be using -P- in all likelihood.  It's probably better than
> simply going off package dependencies.

Responses to the various bugs show that no-one was aware of -P-, many
still stubbornly say "I use -dSAFER thus am safe". I am not sure now if
there was anyone without -dSAFER.

Thanks, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia
Reply to: