On Sun, Nov 18, 2018 at 11:19:00AM -0500, Gary Dale wrote: > This is one of the those WTF moments. Despite the fact that Ghostscript 9.25 > has been known to break Scribus since at least the start of the month, the > Stable version of Ghostscript has just been changed from 9.22 to 9.25. > Of course, the world does not revolve around Scribus.
> This was apparently done to patch a security hole - possibly > https://www.cvedetails.com/cve/CVE-2018-10194/ found in 2018-04-18. However > it seems to me that the cure is worse than the disease since it now renders > an important (for me, anyway) application useless. Instead I need to keep > the old version of Ghostscript on my laptop in order to be able to import > EPS & PDF files and export the document to PDF. > The complete changelog [0] for the new version shows that there were lots of changes. > I recognize that there is no perfect solution to this problem but breaking > an existing program should not be allowed within the Stable branch. > Though I was not involved in this particular decision, I have been involved in some of Debian's security work. There are occasions where the security team must balance the impact of a fix against users. There are instances where the decision is made (based on severity of vulnerability, likelihood of exploitation, exploitability via remote means, availability of work arounds, and other factors) to not fix something because the fix is too intrusive (and may break something). There are other occasions where the decision is made to make a fix that might introduce some breakage along with it, because the vulnerability is of a severity that justifies that. Breaking existing applications is not taken lightly and the security goes to great lengths to prevent breakage altogether or to minimize breakage when avoidance is not possible. > I'm glad that I luckily created a virtual machine running Stretch just as > the upgrade to Ghostscript was added to Stable so that I can stop it from > affecting my laptop. At least I still have a machine that can handle Scribus > documents containing PDFs. However I believe the maintainers should roll > back the update until they have a version that works with Scribus. > According to the package tracker [1] version 9.20~dfsg-3.2+deb9u5 is still available in stretch. That means that those previous version packages are still installable on your system. You can do something like: apt-get install ghostscript=9.20~dfsg-3.2+deb9u5 libgs9=9.20~dfsg-3.2+deb9u5 libgs9-common=9.20~dfsg-3.2+deb9u5 If you have other GS packages installed (e.g., ghostscript-x, libgs-dev, etc.) then you will need to include them in the command. Once you have done that, put them on hold in whatever package manager(s) you use. The procedure varies based on the particular package manager, so you should consult the documentation. In any event, the "hold" status will prevent future upgrades of the packages, allowing you to retain the functionality that you need. You might consider contacting the security team to see if they will reconsider, but that is very unlikely to happen. Regards, -Roberto [0] https://tracker.debian.org/news/1002381/accepted-ghostscript-925dfsg-0deb9u1-source-into-stable-embargoed-stable/ [1] https://tracker.debian.org/pkg/ghostscript -- Roberto C. Sánchez
