[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: advice needed on how to proceed



On Fri, 2004-07-30 at 15:06, Martin-Éric Racine wrote:
> (note: I'm not subscribing to this list, please CC me)
> 
> Bug#259993 was submitted on one of my package, tagged as a security risk.
> 
> Upstream has been quite cooperative in asserting the gravity and is very willing
> to fix anything that the submitter can demonstrate.  The problem is that some of
> the submitter's claims appear questionable and that he refuses to substanciate.
> 
> I'm tempted to tag this as wont-fix, but would like this list's input first.

This I believe is the same "bug" or "Security Risk" that caused our
Mozilla Packager to remove the PS print engine from Mozilla and package
it that way.

Now, a specific switch passed onto ghostscript needs to be used to fix
the issue.

From the gs man page:

        -dSAFER 
                Disables the "deletefile" and "renamefile" operators and
                the ability to open files in any mode other than
                read-only. This is desirable for spoolers or any other
                environments where a malicious or badly written
                PostScript program must be prevented from changing
                important files.

This is what he is spouting about, I think.

Cheers.
-- 
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster:  Linux

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: