On Fri, 2004-07-30 at 15:06, Martin-Éric Racine wrote:
> (note: I'm not subscribing to this list, please CC me)
>
> Bug#259993 was submitted on one of my package, tagged as a security risk.
>
> Upstream has been quite cooperative in asserting the gravity and is very willing
> to fix anything that the submitter can demonstrate. The problem is that some of
> the submitter's claims appear questionable and that he refuses to substanciate.
>
> I'm tempted to tag this as wont-fix, but would like this list's input first.
This I believe is the same "bug" or "Security Risk" that caused our
Mozilla Packager to remove the PS print engine from Mozilla and package
it that way.
Now, a specific switch passed onto ghostscript needs to be used to fix
the issue.
From the gs man page:
-dSAFER
Disables the "deletefile" and "renamefile" operators and
the ability to open files in any mode other than
read-only. This is desirable for spoolers or any other
environments where a malicious or badly written
PostScript program must be prevented from changing
important files.
This is what he is spouting about, I think.
Cheers.
--
greg, greg@gregfolkert.net
The technology that is
Stronger, better, faster: Linux
Attachment:
signature.asc
Description: This is a digitally signed message part