Your message dated Tue, 28 Dec 2010 00:32:23 +0000
with message-id <[email protected]>
and subject line Bug#584653: fixed in ghostscript 8.71~dfsg2-6.1
has caused the Debian Bug report #584653,
regarding ghostscript: does not honor -P- option
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
584653: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ghostscript
Version: 8.62.dfsg.1-3.2
Severity: grave
Tags: security
This is a different issue than ghostscript defaulting -P and not -P-,
for which I'll file an other bug report.
Ghostscript does not honor -P- for postscript system libraries.
As gs_init.ps is such an file that is also responsible for all -dSAFER
options, having such a file in the current directory means the contents
of that file are executed with full privileges.
$ ls doh
ls: cannot access doh: No such file or directory
$ cat gs_init.ps
862
(doh) (w) file
$ /usr/bin/gs -P- -dSAFER
$ ls doh
doh
(Note that for different versions of gs you need to change the number in
the first line).
See also
http://bugs.ghostscript.com/show_bug.cgi?id=691350
and
http://www.openwall.com/lists/oss-security/2010/05/29/2
Bernhard R. Link
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 8.71~dfsg2-6.1
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:
ghostscript-cups_8.71~dfsg2-6.1_i386.deb
to main/g/ghostscript/ghostscript-cups_8.71~dfsg2-6.1_i386.deb
ghostscript-doc_8.71~dfsg2-6.1_all.deb
to main/g/ghostscript/ghostscript-doc_8.71~dfsg2-6.1_all.deb
ghostscript-x_8.71~dfsg2-6.1_i386.deb
to main/g/ghostscript/ghostscript-x_8.71~dfsg2-6.1_i386.deb
ghostscript_8.71~dfsg2-6.1.debian.tar.gz
to main/g/ghostscript/ghostscript_8.71~dfsg2-6.1.debian.tar.gz
ghostscript_8.71~dfsg2-6.1.dsc
to main/g/ghostscript/ghostscript_8.71~dfsg2-6.1.dsc
ghostscript_8.71~dfsg2-6.1_i386.deb
to main/g/ghostscript/ghostscript_8.71~dfsg2-6.1_i386.deb
gs-common_8.71~dfsg2-6.1_all.deb
to main/g/ghostscript/gs-common_8.71~dfsg2-6.1_all.deb
gs-esp_8.71~dfsg2-6.1_all.deb
to main/g/ghostscript/gs-esp_8.71~dfsg2-6.1_all.deb
gs-gpl_8.71~dfsg2-6.1_all.deb
to main/g/ghostscript/gs-gpl_8.71~dfsg2-6.1_all.deb
libgs-dev_8.71~dfsg2-6.1_i386.deb
to main/g/ghostscript/libgs-dev_8.71~dfsg2-6.1_i386.deb
libgs8_8.71~dfsg2-6.1_i386.deb
to main/g/ghostscript/libgs8_8.71~dfsg2-6.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <[email protected]> (supplier of updated ghostscript
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 09 Dec 2010 21:40:17 -0500
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x
ghostscript-doc libgs8 libgs-dev
Architecture: source all i386
Version: 8.71~dfsg2-6.1
Distribution: unstable
Urgency: medium
Maintainer: Jonas Smedegaard <[email protected]>
Changed-By: Michael Gilbert <[email protected]>
Description:
ghostscript - The GPL Ghostscript PostScript/PDF interpreter
ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS
filters
ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter -
Documentation
ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display
suppor
gs-common - Dummy package depending on ghostscript
gs-esp - Transitional package
gs-gpl - Transitional package
libgs-dev - The Ghostscript PostScript Library - Development Files
libgs8 - The Ghostscript PostScript/PDF interpreter Library
Closes: 584653 584663
Changes:
ghostscript (8.71~dfsg2-6.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix various aspects of CVE-2010-2055:
- Honor -P- command-line option (closes: #584653).
- Set SEARCH_HERE_FIRST=0 by default (closes: #584663).
Checksums-Sha1:
7d823b1ad35c908490ef0e61ebb437f8460660cc 1810 ghostscript_8.71~dfsg2-6.1.dsc
9afb852a093aa615c5f59751e9f6b71dea31c8c6 254916
ghostscript_8.71~dfsg2-6.1.debian.tar.gz
70f6735a8bfc63f3aa2e339224e3bb4341d8234f 45804 gs-esp_8.71~dfsg2-6.1_all.deb
dd0738cf1f3620b1fb166f484454dd775cd4d0d0 45802 gs-gpl_8.71~dfsg2-6.1_all.deb
d47c6ca6ba85ef7877834c42e92ee76c721a9473 45516 gs-common_8.71~dfsg2-6.1_all.deb
b6724132328cf3efa0b0112af67f6e8116f8ef6d 3229586
ghostscript-doc_8.71~dfsg2-6.1_all.deb
72c8e99c3f4c67d68f3e5f8fb51889c01d148cf4 4095190
ghostscript_8.71~dfsg2-6.1_i386.deb
0c7cd8b563ddb26620b78981f6622f027592cdd8 60448
ghostscript-cups_8.71~dfsg2-6.1_i386.deb
f8b78ce50d1b119e10889cb378f315cc5cb7e23c 78518
ghostscript-x_8.71~dfsg2-6.1_i386.deb
478844cd45061de6f9a250cd10d1805320144c09 2086266 libgs8_8.71~dfsg2-6.1_i386.deb
b25926526b366f2783a83eba35b63c80c3cfc762 2614006
libgs-dev_8.71~dfsg2-6.1_i386.deb
Checksums-Sha256:
3b3390013f81ef0285cc16f60d1a1a8c31ad9523657c0921ab0cb73b9e50ae09 1810
ghostscript_8.71~dfsg2-6.1.dsc
944c69f208371b9c9eb68475243f3024dba4e2da430f140b424970b2601f437a 254916
ghostscript_8.71~dfsg2-6.1.debian.tar.gz
3db927f2db2cd322b8baddfe65c9e8141164bd842e0c9a89e92442b412b8addb 45804
gs-esp_8.71~dfsg2-6.1_all.deb
aa0d8a29061eadf2a90a5db614b8e5876fbf9b8670f13c1e5f04abcbed990805 45802
gs-gpl_8.71~dfsg2-6.1_all.deb
7dfd2905eb00ef5e44223adfecec83ea758f68e9ed697a1ff17a64cb758ae613 45516
gs-common_8.71~dfsg2-6.1_all.deb
01b7e77007683bbd8e11fdf89a10130d0dd094edc67a1b340f603afada732eb4 3229586
ghostscript-doc_8.71~dfsg2-6.1_all.deb
86d82b262bfecf5be1c33528c6bc35e4c31a429027f5cda71330901af551d1f1 4095190
ghostscript_8.71~dfsg2-6.1_i386.deb
2a31a8c2ec8545b3352b4cbcee581983d135b894fea625a179ae24100f751799 60448
ghostscript-cups_8.71~dfsg2-6.1_i386.deb
16b45370103c41249b0d721deb2bf2d74a9a00fd8542c4035dff2f7fdbbae0eb 78518
ghostscript-x_8.71~dfsg2-6.1_i386.deb
a8a29385faa83336c3aa8ef25ec1013bc51b2da70012c13b6b1f3f3b77b2cb59 2086266
libgs8_8.71~dfsg2-6.1_i386.deb
0d8285d0d1f66dd1a2c5d36d4d128476ace645363488860851804b65ff598167 2614006
libgs-dev_8.71~dfsg2-6.1_i386.deb
Files:
7bfc69936079cf7a0d53b5f5852e07f9 1810 text optional
ghostscript_8.71~dfsg2-6.1.dsc
25204947a0aa4e355e25baa9c8756530 254916 text optional
ghostscript_8.71~dfsg2-6.1.debian.tar.gz
59d99dd6fe4aabac46c1f783d2c48384 45804 text extra gs-esp_8.71~dfsg2-6.1_all.deb
2ba51aa5feea9a299b1528e8c00698c2 45802 text extra gs-gpl_8.71~dfsg2-6.1_all.deb
1feca91dc3c14dba83f378fd886db5c1 45516 text extra
gs-common_8.71~dfsg2-6.1_all.deb
03268393ec22d6565daf2007adf93432 3229586 doc optional
ghostscript-doc_8.71~dfsg2-6.1_all.deb
bd89e7a579126979a005d639b50adb8e 4095190 text optional
ghostscript_8.71~dfsg2-6.1_i386.deb
67a61abdaeee4bec58b7ebbd2530fb31 60448 text optional
ghostscript-cups_8.71~dfsg2-6.1_i386.deb
898d23822bbfb977ebbb817bf4c4d0d6 78518 text optional
ghostscript-x_8.71~dfsg2-6.1_i386.deb
c59f8c7672a7275b3258b7c34d8b05f8 2086266 libs optional
libgs8_8.71~dfsg2-6.1_i386.deb
fd7a341b8442311b3f5c0dba4bdb9ead 2614006 libdevel optional
libgs-dev_8.71~dfsg2-6.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0Xx+oACgkQXm3vHE4uyloRRwCgya/mbu2KyDvwiDHR72LrpZTy
T8kAoLgEJAi82cSngI73fsJdk8PhBNL3
=c6uK
-----END PGP SIGNATURE-----
--- End Message ---
