Bug#584015: ijsgutenprint: Security bugs in ghostscript
Dear Roger,
> ijsgutenprint is a ghostscript IJS server driver. It's invoked
> /by/ ghostscript, so is not itself responsible for running
> ghostscript. One potential source of vulnerabilities is
> actually in glue scripts such as Foomatic, so I think probably
> should be reassigned to foomatic-db-gutenprint. Note that
> most/all of Foomatic and ancillary data packages such
> as foomatic-db-gutenprint are packages you should probably
> look at.
Speaking to the printconf maintainer in
http://bugs.debian.org/584026
he said that foomatic-filters is only affected. Maybe he knows, he is
also the foomatic maintainer...
> Have you considered a whole-archive search for e.g. -dSAFER in
> the lintian lab? ...
Sorry, do not know how to do that search. Can you explain?
> ... If a program is using -dSAFER, it should also
> be using -P- in all likelihood. It's probably better than
> simply going off package dependencies.
Responses to the various bugs show that no-one was aware of -P-, many
still stubbornly say "I use -dSAFER thus am safe". I am not sure now if
there was anyone without -dSAFER.
Thanks, Paul
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Reply to: