On Sun, Nov 21, 2010 at 06:04:13PM +1100, paul.sz...@sydney.edu.au wrote:
Dear Jonas,deb http://debian.jones.dk/ squeeze printingI have now upgraded a machine to squeeze and tried your ghostscript 9.00~dfsg-1~0jones1 package, it works perfectly, thanks. [snip] Could your package include the patch for bug #592569 also, to have -dSAFER as default?It seems to me that Moritz's judgement particular on the issue of -dSAFER is sane, and that your later points of insecurity is a mashup of multiple issues, each of them track as separate bugs for Debian, and some of them solved by the new upstream release 9.00. Is that correct?If so, what makes you persistently ask, when Moritz already explained the situation regarding this particular bug?If not, please help by documenting clearly the security implications of THIS bug alone, testing against a packaging of ghostscript 9.00.Not wishing to argue with Moritz.
But that is exactly what you do: counter-argue his arguments - and there's nothing wrong with that :-)
The danger is of some innocent user doing gs myfile.ps without the requisite -dSAFER option: some un-educated novice user, or maybe some not-so-smart utility via mailcap or similar.It is not universally known that -dSAFER is needed; whereas all who wish to do insecure things, know (should know) to use -dNOSAFER or DELAYSAFER or somesuch. Utilities should be safe by default, particularly when that is the usual way of operation; fancy options should be needed for the unusual cases.Sorry if my previous attempt at describing an attack was a mashup. Suppose I somehow send the victim a PS file, and convince him to open it with gs (tell him to do so, manually from the command line?). Unless the victim is knowledgeable about the need for -dSAFER, his account is "taken". - The need for -dSAFER is exactly the same as was for -P-, and that was accepted as a "grave" bug. (If anything, a lack of -dSAFER is easier to exploit, with just the one PS file.) If -dSAFER is ever a good idea, then now is a good a time to change.
This last part, I believe, is where we disagree:Debian is in deep freeze - which means it is a _bad_ time to do changes which risk causing collateral damage. Upstream chose to not enable SAFER mode by default due to the risk of collateral damage, and same logic applies to Debian when in freeze.
After Squeeze has been released it makes good sense to try by default, as we then have plenty of time to weed out any surprises in software which uses ghostscript.
Thanks for your valuable input. I choose to not change this for Squeeze, unless you (or others) can provide more concrete proof that the system is insecure (other than by instructing a user to do insecure things - it is also possible to tell a user to execute "rm -rf ~/").
Kind regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: Digital signature
