On 2018-11-18 1:19 p.m., Roberto C. Sánchez wrote:
On Sun, Nov 18, 2018 at 11:19:00AM -0500, Gary Dale wrote:
This is one of the those WTF moments. Despite the fact that Ghostscript 9.25
has been known to break Scribus since at least the start of the month, the
Stable version of Ghostscript has just been changed from 9.22 to 9.25.
Of course, the world does not revolve around Scribus.
No but it is a popular and important package that gives Linux a powerful
publishing application.
This was apparently done to patch a security hole - possibly
https://www.cvedetails.com/cve/CVE-2018-10194/ found in 2018-04-18. However
it seems to me that the cure is worse than the disease since it now renders
an important (for me, anyway) application useless. Instead I need to keep
the old version of Ghostscript on my laptop in order to be able to import
EPS & PDF files and export the document to PDF.
The complete changelog [0] for the new version shows that there were
lots of changes.
I recognize that there is no perfect solution to this problem but breaking
an existing program should not be allowed within the Stable branch.
Though I was not involved in this particular decision, I have been
involved in some of Debian's security work. There are occasions where
the security team must balance the impact of a fix against users. There
are instances where the decision is made (based on severity of
vulnerability, likelihood of exploitation, exploitability via remote
means, availability of work arounds, and other factors) to not fix
something because the fix is too intrusive (and may break something).
There are other occasions where the decision is made to make a fix that
might introduce some breakage along with it, because the vulnerability
is of a severity that justifies that.
Breaking existing applications is not taken lightly and the security
goes to great lengths to prevent breakage altogether or to minimize
breakage when avoidance is not possible.
There have been lots of security holes found in Ghostscript that seem to
revolve around buffer overflows, which indicates to me that the
Ghostscript developers are behind the times in their development tools.
Reading the security notices about it makes me wonder what hasn't been
found yet.
However the security holes on the 9.20 version which was used in
Stretch/Stable until recently have been around for a long time.
Presumably patches were made along the way so what was different this time?
I'm glad that I luckily created a virtual machine running Stretch just as
the upgrade to Ghostscript was added to Stable so that I can stop it from
affecting my laptop. At least I still have a machine that can handle Scribus
documents containing PDFs. However I believe the maintainers should roll
back the update until they have a version that works with Scribus.
According to the package tracker [1] version 9.20~dfsg-3.2+deb9u5 is
still available in stretch. That means that those previous version
packages are still installable on your system. You can do something
like:
apt-get install ghostscript=9.20~dfsg-3.2+deb9u5 libgs9=9.20~dfsg-3.2+deb9u5
libgs9-common=9.20~dfsg-3.2+deb9u5
If you have other GS packages installed (e.g., ghostscript-x, libgs-dev,
etc.) then you will need to include them in the command.
Once you have done that, put them on hold in whatever package manager(s)
you use. The procedure varies based on the particular package manager,
so you should consult the documentation. In any event, the "hold"
status will prevent future upgrades of the packages, allowing you to
retain the functionality that you need.
You might consider contacting the security team to see if they will
reconsider, but that is very unlikely to happen.
I've already hunted down the packages and installed them so my virtual
machine's version of Scribus is working again.
Apparently the Scribus developers have fixed the incompatibility in the
current development of 1.4.8 but Buster still uses 1.4.7.
