On Tue, Jun 01, 2010 at 11:11:19AM +1000, Paul Szabo wrote: > Package: ijsgutenprint > Severity: grave > Tags: security > Justification: user security hole > > > Please note remote execute-any-code security bugs in ghostscript: > > http://bugs.debian.org/583183 > > This package depends on ghostscript, and may be affected. Please > evaluate the security of this package, and fix if needed.
ijsgutenprint is a ghostscript IJS server driver. It's invoked /by/ ghostscript, so is not itself responsible for running ghostscript. One potential source of vulnerabilities is actually in glue scripts such as Foomatic, so I think probably should be reassigned to foomatic-db-gutenprint. Note that most/all of Foomatic and ancillary data packages such as foomatic-db-gutenprint are packages you should probably look at. Have you considered a whole-archive search for e.g. -dSAFER in the lintian lab? If a program is using -dSAFER, it should also be using -P- in all likelihood. It's probably better than simply going off package dependencies. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature
