Dear Norbert, > That is right, but still it is a bug of ghostscript and should > be treated there, not anywhere else.
Yes. And when they advise you to use -P- (and refuse to make that the default), you just need to follow: you need to change. (But yes, such a gs requirement, leaving it "insecure by default", is insane.) I note that right now, gs is unsafe even with -P-. > Furthermore, gs is not run with extended priviliges, so that > does not compromise the system unless the cups code is forwarding > that to gs. Only affects the users of cups: all user accounts are now compromised. I also guess that cups may be used for printing... I do not know whether that runs as root (compromising the whole machine) or as user "printer" (allowing attackers to "steal" sensitive printouts). Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
