Bug#584064: texlive-base-bin: Security bugs in ghostscript
Dear Norbert,
> That is right, but still it is a bug of ghostscript and should
> be treated there, not anywhere else.
Yes. And when they advise you to use -P- (and refuse to make that the
default), you just need to follow: you need to change. (But yes, such
a gs requirement, leaving it "insecure by default", is insane.)
I note that right now, gs is unsafe even with -P-.
> Furthermore, gs is not run with extended priviliges, so that
> does not compromise the system unless the cups code is forwarding
> that to gs.
Only affects the users of cups: all user accounts are now compromised.
I also guess that cups may be used for printing... I do not know whether
that runs as root (compromising the whole machine) or as user "printer"
(allowing attackers to "steal" sensitive printouts).
Cheers, Paul
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Reply to: