Your message dated Tue, 17 Sep 2019 13:20:15 +0200 with message-id <156871921514.21624.4420864137243945594@auryn.jones.dk> and subject line Re: Bug#592569: Please make -dSAFER the default has caused the Debian Bug report #592569, regarding gs: ps documents can overwrite arbitrary files unless -dSAFER is used to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 592569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592569 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ghostscript: Please make -dSAFER the default
- From: Paul Szabo <paul.szabo@sydney.edu.au>
- Date: Wed, 11 Aug 2010 13:00:49 +1000
- Message-id: <20100811030049.17963.36362.reportbug@bari.maths.usyd.edu.au>
Package: ghostscript Version: 8.62.dfsg.1-3.2lenny4 Severity: grave Tags: security Justification: user security hole Please make the -dSAFER option the default. For discussion, rationale etc please see bugs #583183 and #584663, and particularly: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584663#55 Thanks, Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.18-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages ghostscript depends on: ii debconf [debc 1.5.24 Debian configuration management sy ii debianutils 2.30 Miscellaneous utilities specific t ii defoma 0.11.10-0.2 Debian Font Manager -- automatic f ii gs-common 8.62.dfsg.1-3.2lenny4 Dummy package depending on ghostsc ii gsfonts 1:8.11+urwcyr1.0.7~pre44-3 Fonts for the Ghostscript interpre ii libc6 2.7-18lenny4 GNU C Library: Shared libraries ii libgs8 8.62.dfsg.1-3.2lenny4 The Ghostscript PostScript/PDF int Versions of packages ghostscript recommends: ii psfontmgr 0.11.10-0.2 PostScript font manager -- part of Versions of packages ghostscript suggests: ii ghostscript-x 8.62.dfsg.1-3.2lenny4 The GPL Ghostscript PostScript/PDF pn hpijs <none> (no description available) -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 592569-done@bugs.debian.org
- Subject: Re: Bug#592569: Please make -dSAFER the default
- From: Jonas Smedegaard <dr@jones.dk>
- Date: Tue, 17 Sep 2019 13:20:15 +0200
- Message-id: <156871921514.21624.4420864137243945594@auryn.jones.dk>
- Reply-to: 592569@bugs.debian.org
- In-reply-to: <20140328204709.GA100145@vauxhall.crustytoothpaste.net>
- References: <20140328204709.GA100145@vauxhall.crustytoothpaste.net>
Version: 9.28~~rc1~dfsg-1 Quoting brian m. carlson (2014-03-28 21:47:09) > I have reported at least two different vulnerabilities against Debian > packages that are caused by invoking gs without -dSAFER. They are > extremely trivial to find and create working exploits for. > > It is very common for programs to use gs on untrusted input; in fact, it > is often used to fix broken input. The incidence of cases in which the > user does not want the behavior of -dSAFER is extremely low. This makes > -dSAFER a logical default. > > I'm personally just fine looking for more of these types of > vulnerabilities as long as -dSAFER isn't the default. However, I > suspect the Debian Security Team would prefer to handle fewer > vulnerabilities of this class, and clearly Debian users would benefit > from not having their files deleted by malicious PostScript. Ghostscript upstream has redefined -dSAFER since (pre-releases of) 9.28 so that effectively (old meaning of) -dSAFER is now enabled by default. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep privateAttachment: signature.asc
Description: signature
--- End Message ---