Your message dated Thu, 19 Aug 2010 09:17:22 +0000
with message-id <e1om1fs-0004pz...@franck.debian.org>
and subject line Bug#584667: fixed in ghostscript 8.71~dfsg2-6
has caused the Debian Bug report #584667,
regarding ghostscript: scripts call gs without -P-
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
584667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584667
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ghostscript
Version: 8.62.dfsg.1-3.2
Severity: grave
Tags: security
If http://bugs.debian.org/584663 is fixed and not closed as wontfix, then
this is only wishlist. As long as http://bugs.debian.org/584653 is not
fixed, this opens no new security holes and fixing this has no effect.
Ghostscript comes with a number of helper scripts in /usr/bin, which
call gs with a number of options. As they do not change to a secure
working directory and call gs without -P-, gs will use files from the
current directory instead of the files it ships, allowing other people
with write access to the current directory to execute code as the user
calling this script.
For example if a user does:
cd /tmp
pstopdf test.ps
anyone with write access to /tmp could for example replace the users
~/.ssh/authorized_keys file with content of their chosing by creating
a /tmp/gs_init.ps file.
This issue would be fixed by making -P- the default as suggested in
http://bugs.debian.org/584663.
But even if ghostscript is fixed that way it would be nice to have
those scripts fixed so people copying stuff from there also get safe
scripts elsewhere.
I think this http://bugs.ghostscript.com/show_bug.cgi?id=691355 so
it might already be fixed for future versions.
Remember that until http://bugs.debian.org/584653 is fixed, -P- will
make no difference, so testing this is hard...
Bernhard R. Link
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 8.71~dfsg2-6
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:
ghostscript-cups_8.71~dfsg2-6_amd64.deb
to main/g/ghostscript/ghostscript-cups_8.71~dfsg2-6_amd64.deb
ghostscript-doc_8.71~dfsg2-6_all.deb
to main/g/ghostscript/ghostscript-doc_8.71~dfsg2-6_all.deb
ghostscript-x_8.71~dfsg2-6_amd64.deb
to main/g/ghostscript/ghostscript-x_8.71~dfsg2-6_amd64.deb
ghostscript_8.71~dfsg2-6.debian.tar.gz
to main/g/ghostscript/ghostscript_8.71~dfsg2-6.debian.tar.gz
ghostscript_8.71~dfsg2-6.dsc
to main/g/ghostscript/ghostscript_8.71~dfsg2-6.dsc
ghostscript_8.71~dfsg2-6_amd64.deb
to main/g/ghostscript/ghostscript_8.71~dfsg2-6_amd64.deb
gs-common_8.71~dfsg2-6_all.deb
to main/g/ghostscript/gs-common_8.71~dfsg2-6_all.deb
gs-esp_8.71~dfsg2-6_all.deb
to main/g/ghostscript/gs-esp_8.71~dfsg2-6_all.deb
gs-gpl_8.71~dfsg2-6_all.deb
to main/g/ghostscript/gs-gpl_8.71~dfsg2-6_all.deb
libgs-dev_8.71~dfsg2-6_amd64.deb
to main/g/ghostscript/libgs-dev_8.71~dfsg2-6_amd64.deb
libgs8_8.71~dfsg2-6_amd64.deb
to main/g/ghostscript/libgs8_8.71~dfsg2-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 584...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Aug 2010 09:55:55 +0200
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x
ghostscript-doc libgs8 libgs-dev
Architecture: source all amd64
Version: 8.71~dfsg2-6
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Description:
ghostscript - The GPL Ghostscript PostScript/PDF interpreter
ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS
filters
ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter -
Documentation
ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display
suppor
gs-common - Dummy package depending on ghostscript
gs-esp - Transitional package
gs-gpl - Transitional package
libgs-dev - The Ghostscript PostScript Library - Development Files
libgs8 - The Ghostscript PostScript/PDF interpreter Library
Closes: 519141 583738 584516 584667
Changes:
ghostscript (8.71~dfsg2-6) unstable; urgency=low
.
* Acknowledge pseudo-NMUs.
Closes: bug#584667, #584516, #583738, thanks to Moritz Muehlenhoff
and Sebastian Dröge.
* There is no such thing as a "collab-maint upload:
+ Edit historical changelog entries to avoid further repitition.
+ Document sensible use of collab-maint for NMUs in README.source.
* Reorder patches to match upstream commit order.
* Replace patches 0960-0962 (fix printing from GTK+ apps) from Ubuntu
with corresponding patches cherry-picked from upstream.
* Refresh patches using shortening options --no-timestamps --no-index
-pab.
* Bump Standards-Version to 3.9.1.
* Put myself as maintainer and Hatta as uploader, to better reflect
our current levels of activity.
* Drop superfluous cleanup in preinst of transitional gs-common.
Thanks to Jonathan Nieder (see bug#519141).
* Fix circular dependency: Stop ugly transitional hack of ghostscript
depending on gs-common (which depends on ghostscript).
Closes: bug#519141, thanks to Bill Allombert, Jonathan Nieder and
others (see also bug#539754).
* Add patch 011547 cherry-picked from upstream Subversion, to improve
cups device support for rendering with high memory demands. Possibly
fixes bug#534414 (try also setting RIPCache=auto in cupsd.conf).
Checksums-Sha1:
691791e56e683fcc2cdc22d280f8f73e66b146d4 2442 ghostscript_8.71~dfsg2-6.dsc
e961899b79d32e6f5345305298012661fda6f7cc 247329
ghostscript_8.71~dfsg2-6.debian.tar.gz
56cbc895a9320c4cdd64eb86c56529121da351ba 45602 gs-esp_8.71~dfsg2-6_all.deb
69a44e6625bfe6b94882d2743a7f09c9e40dea7f 45604 gs-gpl_8.71~dfsg2-6_all.deb
238e727330b84c652182cbf74b5ba7cf8faa180b 45322 gs-common_8.71~dfsg2-6_all.deb
73d7152a88f5c50b292cf955c53df8ee9a807bca 3235456
ghostscript-doc_8.71~dfsg2-6_all.deb
1810de658a2bf0a7f5ac0c24880c18d4f6671dcf 4117640
ghostscript_8.71~dfsg2-6_amd64.deb
e707969ec3df1cdb65365d085c4a3369a5e210e6 60640
ghostscript-cups_8.71~dfsg2-6_amd64.deb
4b64d1a356185eb7748b5b7de7fdadacfbc2a076 80154
ghostscript-x_8.71~dfsg2-6_amd64.deb
e4671d5627d27b126aa6cfd8fbbb5c6a78b923f6 2192140 libgs8_8.71~dfsg2-6_amd64.deb
2e6d03db704a5f8189a9f3f504e33d7a92d0b9c5 2768682
libgs-dev_8.71~dfsg2-6_amd64.deb
Checksums-Sha256:
fd19ff1acd006e22a799087dd5abc697fb2457afdb65af7b1ad44d62faeb4a19 2442
ghostscript_8.71~dfsg2-6.dsc
48318afb06f22f0cdd318ab80565aeb6a9f22fc10a40eaf51d658094f2edafa9 247329
ghostscript_8.71~dfsg2-6.debian.tar.gz
aee90efaee79a703a61e85983a97bc4e6bf9cc8e92f0d7d7ddecb34152d25ee0 45602
gs-esp_8.71~dfsg2-6_all.deb
51d604c08359e6fddee481ebba9d4ffd3025e62bc6a391bd0ed328a88c5102c9 45604
gs-gpl_8.71~dfsg2-6_all.deb
9ce6b83ce839ecb56408d9ae5edd82d1694fd7367f37586963b7ddd6c6d40075 45322
gs-common_8.71~dfsg2-6_all.deb
bf9e2b3b460c9d6aa4b62c513be7e76b424b4580e2ded0a3c8bd541a673a2047 3235456
ghostscript-doc_8.71~dfsg2-6_all.deb
210a3777091c34222654f2d43663b751b9bd2be1c79c28455a2b9a22b7952242 4117640
ghostscript_8.71~dfsg2-6_amd64.deb
d305faa1481e53f56a360cd598bcae6cb2e5ceffab4afdf9067ded09b889b3ed 60640
ghostscript-cups_8.71~dfsg2-6_amd64.deb
6ea37bd3475d3240001a4904ed90185030bd40e08d1e92cb3fe81800ca67d0e3 80154
ghostscript-x_8.71~dfsg2-6_amd64.deb
0d62629e340f2de4237ab77218516079687fb2198250eb2663c1fcf89dcefb60 2192140
libgs8_8.71~dfsg2-6_amd64.deb
c6cacc85db507858a505275146e293133b497917e0d4dabb0b3fed51ab3735ec 2768682
libgs-dev_8.71~dfsg2-6_amd64.deb
Files:
b9bc77add3a034a4bcbd82d725ab1284 2442 text optional
ghostscript_8.71~dfsg2-6.dsc
1f88a9e691f2d7efdb3c40ff998c3e5d 247329 text optional
ghostscript_8.71~dfsg2-6.debian.tar.gz
38941641c577d7faeeb1f7478b3ef011 45602 text extra gs-esp_8.71~dfsg2-6_all.deb
c0f2bd2bb27d9241216ebbe8a893443a 45604 text extra gs-gpl_8.71~dfsg2-6_all.deb
3f341ef6775b87e4807e9f7fb3b0bd65 45322 text extra
gs-common_8.71~dfsg2-6_all.deb
9c739aec5315f28d4c9f2acfe5c496fd 3235456 doc optional
ghostscript-doc_8.71~dfsg2-6_all.deb
a7fcdf70e0967f32c4e8d1dfa083a63c 4117640 text optional
ghostscript_8.71~dfsg2-6_amd64.deb
1ffe04c947562b37e785efb5ba391672 60640 text optional
ghostscript-cups_8.71~dfsg2-6_amd64.deb
21c0605bdae67572ae755a96fe5c5f13 80154 text optional
ghostscript-x_8.71~dfsg2-6_amd64.deb
64a45b491619cbae01147216b2e09363 2192140 libs optional
libgs8_8.71~dfsg2-6_amd64.deb
d2f5ab6fe9e6ec128f6f5dd4e48a8ee5 2768682 libdevel optional
libgs-dev_8.71~dfsg2-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCgAGBQJMbPL6AAoJECx8MUbBoAEhVKsP/2WJqHfVc9bDP0GD0f59+a4+
xBYd3m65HU2wrWsqJRte8abYRhGISDuBir6Ad0ltlXLFMexYchF7eawV+3g9bs5O
Z35MVa6qzj6Ysgz3npIjfhTTtYAgR9ZUAv0ohhhEJuKKNZKN/RX2NNV/Nl0RQ72T
tbixgUBxzdT+C+W8IjxPTpnnwvHKA0wQcJ4F9gy/uZBaHUdnYfovx+J+XF4Q6ICh
H5AGtv2bNQdbVH58xgv9KeQ/LgJXHNfCwLd6JxqmsxEjTf4woPWKyrN/TBhjS8f8
lgsgs5xlLBsyxbqhWzjS4QtyegRpYDcWH+oaBd/XhQZo+HK//zKHeUu0txZ+26QO
ajip8MHfQ9ytSnDa+JJddp9P3Iww4H5mKXTHvd95+Aihm/aihcSosn1NanTmWqcz
JMWaS2tvxggiBvaM2slXQj/zaHPjB8KVk383IkWb2nCZsB0hDfZpMa5FCGsvMX5Q
pDG3RREfBUEseVq/mHcMs1oFdj84V8wv6TUn5X+xftvoMglEv0X/lCfATS08mWsw
6OdJwoj+0O9oXZbkswBXGjaW+nAn0YTXhENSpzoHZC+vMhc1mp5IqVUCS9gaoFU/
+Zh9Tk8csnaWlWhZOAiErKIGqMRQhEwOXpLtxoOipIE3JiA8N4e9hXPtFEZqcpKt
geX2cZdK5iM7ZL39kD98
=S4BO
-----END PGP SIGNATURE-----
--- End Message ---
