On Fri, Nov 29, 2019 at 03:16:37PM +0000, wilfried.pasca...@orange.com wrote: > Package: pari > Version: 2.11.1-2 > > Georgi Guninski disclosed on Nov 26 a vulnerability on Full Disclosure [1]. > > He's saying that pari/gp packages are vulnerable to an arbitrary code > execution ; and mainstream package versions are vulnerable on Stretch > and Buster.
Hello Wilfried, Georgi Guninski is mistaken. gp is a language interpretor like bash, perl and python. They all allow arbitrary code execution. The ability to write files and run arbitrary code is a feature and not a bug. GP is not documented as providing an environment with security properties, so there cannot be a vulnerability. Cheers, -- Bill. <ballo...@debian.org> Imagine a large red swirl here.
