Your message dated Tue, 01 Jun 2010 12:27:35 +0200
with message-id <4c04e097.4070...@free.fr>
and subject line Re: Bug#584013: hyperlatex: Security bugs in ghostscript
has caused the Debian Bug report #584017,
regarding latex-make: Security bugs in ghostscript
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
584017: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584017
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: latex-make
Severity: grave
Tags: security
Justification: user security hole
Please note remote execute-any-code security bugs in ghostscript:
http://bugs.debian.org/583183
This package depends on ghostscript, and may be affected. Please
evaluate the security of this package, and fix if needed.
Thanks,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Hi,
On 01/06/2010 10:31, Roland Stigge wrote:
> Hi,
>
> On 06/01/2010 03:10 AM, Paul Szabo wrote:
>> This package depends on ghostscript, and may be affected. Please
>> evaluate the security of this package, and fix if needed.
>
> There are several issues with this bug:
>
> (1) If ghostscript has a bug, maybe it should be fixed there instead of
> in all gs dependant packages?
>
> (2) Mass bug filing (esp. RC/security) is generally not a great idea,
> especially if
>
> (3) You haven't checked the individual packages ("This package depends
> on ghostscript, and may be affected").
>
> (4) Please state clearly what's wrong with the package (hyperlatex in
> this case). From the other bug reports I deduce that gs calls should be
> extended with "-P- -dSAFER". This should be done in the hyperlatex
> source package in bin/ps2image, for the record.
I agree on all points of this mail (replace "hyperlatex" by
"latex-make" in my case).
I'm closing the bug for latex-make unless you come back with facts (or
that discussion on d-d agreeds that all package using gs must be changed).
I'm latex-make upstream, too. And I think that I depend on gs-common due
to calls to ps2ps/ps2pdf/... latex-make does not call gs directly.
Please, take care when filling such amount of bugs with such severity
just before a release.
Regards,
Vincent
--- End Message ---
