Hi, I agree with salvatore, that in general disabling pdf is the safer solution.
I am slowly recovering from work debt due to covid 19 lockdown in France (i was locked down three month, and I could only work by night for payjob so debian work was not done), but I will accept patch. The solution of this tradeoff problem is a debconf question. I will accept patch Bastien On Sun, Dec 13, 2020 at 9:21 PM Salvatore Bonaccorso <car...@debian.org> wrote: > > Hi, > > Cc'in the security-team alias. > > On Wed, Oct 07, 2020 at 01:15:23PM -0700, Felix Lechner wrote: > > Control: tags -1 + patch > > > > Hi, > > > > > Is this because of a ghostscript vulnerability? > > > > The PDF policy restriction is also in effect on Debian stable even > > though that release ships with Ghostscript 9.27, which online sources > > suggest is safe. [1] > > > > Converting images to PDF is a very common functionality. Please > > provide a backport with the attached patch, or similar. Thanks! > > It is actually unlikely for the moment that we will revert the > 200-disable-ghostscript-formats.patch patch again, which was firstly > included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates > in general problems with the ghostscript handled formats, e.g. the > (new) CVE-2020-29599, cf. > https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html