Your message dated Wed, 04 Aug 2010 00:47:23 +0000
with message-id <e1ogs8h-000471...@franck.debian.org>
and subject line Bug#584667: fixed in ghostscript 8.71~dfsg2-4
has caused the Debian Bug report #584667,
regarding ghostscript: scripts call gs without -P-
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
584667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584667
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ghostscript
Version: 8.62.dfsg.1-3.2
Severity: grave
Tags: security
If http://bugs.debian.org/584663 is fixed and not closed as wontfix, then
this is only wishlist. As long as http://bugs.debian.org/584653 is not
fixed, this opens no new security holes and fixing this has no effect.
Ghostscript comes with a number of helper scripts in /usr/bin, which
call gs with a number of options. As they do not change to a secure
working directory and call gs without -P-, gs will use files from the
current directory instead of the files it ships, allowing other people
with write access to the current directory to execute code as the user
calling this script.
For example if a user does:
cd /tmp
pstopdf test.ps
anyone with write access to /tmp could for example replace the users
~/.ssh/authorized_keys file with content of their chosing by creating
a /tmp/gs_init.ps file.
This issue would be fixed by making -P- the default as suggested in
http://bugs.debian.org/584663.
But even if ghostscript is fixed that way it would be nice to have
those scripts fixed so people copying stuff from there also get safe
scripts elsewhere.
I think this http://bugs.ghostscript.com/show_bug.cgi?id=691355 so
it might already be fixed for future versions.
Remember that until http://bugs.debian.org/584653 is fixed, -P- will
make no difference, so testing this is hard...
Bernhard R. Link
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 8.71~dfsg2-4
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:
ghostscript-cups_8.71~dfsg2-4_i386.deb
to main/g/ghostscript/ghostscript-cups_8.71~dfsg2-4_i386.deb
ghostscript-doc_8.71~dfsg2-4_all.deb
to main/g/ghostscript/ghostscript-doc_8.71~dfsg2-4_all.deb
ghostscript-x_8.71~dfsg2-4_i386.deb
to main/g/ghostscript/ghostscript-x_8.71~dfsg2-4_i386.deb
ghostscript_8.71~dfsg2-4.debian.tar.gz
to main/g/ghostscript/ghostscript_8.71~dfsg2-4.debian.tar.gz
ghostscript_8.71~dfsg2-4.dsc
to main/g/ghostscript/ghostscript_8.71~dfsg2-4.dsc
ghostscript_8.71~dfsg2-4_i386.deb
to main/g/ghostscript/ghostscript_8.71~dfsg2-4_i386.deb
gs-common_8.71~dfsg2-4_all.deb
to main/g/ghostscript/gs-common_8.71~dfsg2-4_all.deb
gs-esp_8.71~dfsg2-4_all.deb
to main/g/ghostscript/gs-esp_8.71~dfsg2-4_all.deb
gs-gpl_8.71~dfsg2-4_all.deb
to main/g/ghostscript/gs-gpl_8.71~dfsg2-4_all.deb
libgs-dev_8.71~dfsg2-4_i386.deb
to main/g/ghostscript/libgs-dev_8.71~dfsg2-4_i386.deb
libgs8_8.71~dfsg2-4_i386.deb
to main/g/ghostscript/libgs8_8.71~dfsg2-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 584...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <j...@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 31 Jul 2010 23:19:42 -0400
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x
ghostscript-doc libgs8 libgs-dev
Architecture: source all i386
Version: 8.71~dfsg2-4
Distribution: unstable
Urgency: medium
Maintainer: Masayuki Hatta (mhatta) <mha...@debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
ghostscript - The GPL Ghostscript PostScript/PDF interpreter
ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS
filters
ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter -
Documentation
ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display
suppor
gs-common - Dummy package depending on ghostscript
gs-esp - Transitional package
gs-gpl - Transitional package
libgs-dev - The Ghostscript PostScript Library - Development Files
libgs8 - The Ghostscript PostScript/PDF interpreter Library
Closes: 584516 584667
Changes:
ghostscript (8.71~dfsg2-4) unstable; urgency=medium
.
* Collab-maint upload, adding myself to uploaders temporarily
* Fix CVE-2010-1628 (Closes: #584516)
* Apply upstream commit r11351 to pass -P- to all Ghostscript
internal tools. Ghostscript will likely be changed to run
with -P- by default, but this still needs more work/testing
for a final patch (Closes: #584667)
Checksums-Sha1:
653bea320198f33a86df00d3a57cf29071c25b4f 1839 ghostscript_8.71~dfsg2-4.dsc
0f1cebd8c2352f4c6712f928d6645d9c815334a2 233021
ghostscript_8.71~dfsg2-4.debian.tar.gz
548386c327c02b595e4e382ea03bdbb8eff1c6a7 45034 gs-esp_8.71~dfsg2-4_all.deb
fd3c75a2643250cca4f631778c68797b185fa15a 45034 gs-gpl_8.71~dfsg2-4_all.deb
5fef857306fbbe3339c6bec7cf9b72c8393a97e4 45064 gs-common_8.71~dfsg2-4_all.deb
b19c514d80392f9fc3972d098192b4f3a3f6d897 3229000
ghostscript-doc_8.71~dfsg2-4_all.deb
379cbd28de1cc8a26ccffd28eacc2c0703ea7714 4094272
ghostscript_8.71~dfsg2-4_i386.deb
b4b9bc3c846bd9f9cd5923d0e49aa3d5dd63106a 59510
ghostscript-cups_8.71~dfsg2-4_i386.deb
5669e1c695d735b39d3561ba44fc5e494f0d4589 77738
ghostscript-x_8.71~dfsg2-4_i386.deb
ca429d7553d17001094ba32b42ca086be776e9f5 2081170 libgs8_8.71~dfsg2-4_i386.deb
b623c08d57af4ea102da9a46cf2a5809f537d411 2609328
libgs-dev_8.71~dfsg2-4_i386.deb
Checksums-Sha256:
281630b05a8b086247de706544bf7b0d63bf1c75310661e9bcf398e1aaeb15dc 1839
ghostscript_8.71~dfsg2-4.dsc
277541fb11935cc4ead920a2b918bf57d51b0d09158cbd1b8f90c9d42550eea3 233021
ghostscript_8.71~dfsg2-4.debian.tar.gz
d0f5d7d3a8e310f16f40867666d478a06593c6bba2dd1b17ee9dd03df0118660 45034
gs-esp_8.71~dfsg2-4_all.deb
03c48b848041a4d5fe318bf218fe7b5385b4c74a8afa908b5aadd8a88f1cff5c 45034
gs-gpl_8.71~dfsg2-4_all.deb
9d6cf73c68260757170f83e53167793eaa6c788cca45bb9635f886b17a6380e2 45064
gs-common_8.71~dfsg2-4_all.deb
6e9de9ae3892cd097fc7f6eb9fb3b78f7666034f5495d5ee2b6695d976a0f5a7 3229000
ghostscript-doc_8.71~dfsg2-4_all.deb
0968e2a9dd3d13cf1dc77cdc11c7ea9614cef6092a66e0558b62794191cf3671 4094272
ghostscript_8.71~dfsg2-4_i386.deb
ed62be2fedfa4ac5eba32bf2726e1050e91f1429553070f70cb0faaedce3c19f 59510
ghostscript-cups_8.71~dfsg2-4_i386.deb
4e90a618025fc49db098d3a551fa3791b0f563fab5012547683ab03a07b9b9ad 77738
ghostscript-x_8.71~dfsg2-4_i386.deb
4a5d858ce6b7a0b402e0c7257ac2f3354ee59fd1ae77b1cb6e7d51038d428eb7 2081170
libgs8_8.71~dfsg2-4_i386.deb
c08a2ca635357374e24f2cd60edc399454217d67cc06298538f80b7c208f151d 2609328
libgs-dev_8.71~dfsg2-4_i386.deb
Files:
a95900910ec7e9ae5b7370239e70bf72 1839 text optional
ghostscript_8.71~dfsg2-4.dsc
0ed2c5e2af026e4f36873680cd69c86f 233021 text optional
ghostscript_8.71~dfsg2-4.debian.tar.gz
7e94e8cca58fad358cad4627f8d50285 45034 text extra gs-esp_8.71~dfsg2-4_all.deb
75a7f4d9b066ab986688a65b8a65c347 45034 text extra gs-gpl_8.71~dfsg2-4_all.deb
a8491b71f8643c24ba6f54cee7ee3870 45064 text extra
gs-common_8.71~dfsg2-4_all.deb
e0d9ab639869ffd3b54b5ec16c20ad35 3229000 doc optional
ghostscript-doc_8.71~dfsg2-4_all.deb
3f8659844716b1e33dfa656f4b3f8f7a 4094272 text optional
ghostscript_8.71~dfsg2-4_i386.deb
5245de4159c35b54ed745cb55f40efee 59510 text optional
ghostscript-cups_8.71~dfsg2-4_i386.deb
082162a5c1d4b0d355cf07d892292a3a 77738 text optional
ghostscript-x_8.71~dfsg2-4_i386.deb
7bf354f6694d925dc86b196cdfccf7f4 2081170 libs optional
libgs8_8.71~dfsg2-4_i386.deb
73a690f327346b26549be7a13d8d9d69 2609328 libdevel optional
libgs-dev_8.71~dfsg2-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxYtWUACgkQXm3vHE4uylplgACeKHR6c3Ty3zLdUyaDMEu9ieTZ
Z5YAn2ZlsNQCgcQ2XQjwGu2wj20tFqA0
=xaMr
-----END PGP SIGNATURE-----
--- End Message ---
