Dear Jonas, >>> deb http://debian.jones.dk/ squeeze printing >> >>I have now upgraded a machine to squeeze and tried your >>ghostscript 9.00~dfsg-1~0jones1 >>package, it works perfectly, thanks. >>[snip] >>Could your package include the patch for bug #592569 also, >>to have -dSAFER as default? > > It seems to me that Moritz's judgement particular on the issue of > -dSAFER is sane, and that your later points of insecurity is a mashup of > multiple issues, each of them track as separate bugs for Debian, and > some of them solved by the new upstream release 9.00. Is that correct? > > If so, what makes you persistently ask, when Moritz already explained > the situation regarding this particular bug? > > If not, please help by documenting clearly the security implications of > THIS bug alone, testing against a packaging of ghostscript 9.00.
Not wishing to argue with Moritz. The danger is of some innocent user doing gs myfile.ps without the requisite -dSAFER option: some un-educated novice user, or maybe some not-so-smart utility via mailcap or similar. It is not universally known that -dSAFER is needed; whereas all who wish to do insecure things, know (should know) to use -dNOSAFER or DELAYSAFER or somesuch. Utilities should be safe by default, particularly when that is the usual way of operation; fancy options should be needed for the unusual cases. Sorry if my previous attempt at describing an attack was a mashup. Suppose I somehow send the victim a PS file, and convince him to open it with gs (tell him to do so, manually from the command line?). Unless the victim is knowledgeable about the need for -dSAFER, his account is "taken". - The need for -dSAFER is exactly the same as was for -P-, and that was accepted as a "grave" bug. (If anything, a lack of -dSAFER is easier to exploit, with just the one PS file.) If -dSAFER is ever a good idea, then now is a good a time to change. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
