On Sun, Nov 18, 2018 at 11:49:05PM -0500, Gary Dale wrote: > > > > > Of course, the world does not revolve around Scribus. > > No but it is a popular and important package that gives Linux a powerful > publishing application. > I agree and have been very happy with Scribus in the past when I have needed a solid publishing application. However, numerous other applications also depend on ghostscript, both directly and indirectly.
> > > > Breaking existing applications is not taken lightly and the security > > goes to great lengths to prevent breakage altogether or to minimize > > breakage when avoidance is not possible. > > There have been lots of security holes found in Ghostscript that seem to > revolve around buffer overflows, which indicates to me that the Ghostscript > developers are behind the times in their development tools. Reading the > security notices about it makes me wonder what hasn't been found yet. > There are some applications and libraries (imagemagick is another that immediately springs to mind) that just seem to teaming with as yet undiscovered security vulnerabilities. I say that because the frequency with which new issues are reported does not seem to slowing down. I think that part of it is the advances in analysis tools. For example, many of the vulnerabilities I have seen reported and for which I have either backported or developed fixes over the last year or so have been found by fuzzing. That is something that was not done 10 or 20 years ago, and if it was done it was not done with the sophistication and thoroughness seen today. Given that codebases like ghostscript, tiff, imagemagick, and others have been around for 20 years or more in some cases it is not surprising that so many issues are just waiting to be discovered. > However the security holes on the 9.20 version which was used in > Stretch/Stable until recently have been around for a long time. Presumably > patches were made along the way so what was different this time? > That is not something that I can answer. However, based on my experience with some other packages I can say that there are cases where a vulnerability is identified and it takes a long time to develop a proper fix. The Spectre and Meltdown vulnerabilities which were first disclosed last year might fall into this category. Some initial fixes were made to address the vulnerability and as time went on, those fixes were refined to mitigate some of the performance impact and improve on the implementation. I am not sure what the case was with ghostscript, but it could have been something similar. > > > > apt-get install ghostscript=9.20~dfsg-3.2+deb9u5 > > libgs9=9.20~dfsg-3.2+deb9u5 libgs9-common=9.20~dfsg-3.2+deb9u5 > > > > I've already hunted down the packages and installed them so my virtual > machine's version of Scribus is working again. > > Apparently the Scribus developers have fixed the incompatibility in the > current development of 1.4.8 but Buster still uses 1.4.7. > It looks like 1.4.8 has not yet been released, so it might be unrealistic to expect that it make its way into Debian at this point. Perhaps you can contact the package maintainer to see if there is some way you can help speed up the process of getting 1.4.8 into Debian once it is released. Regards, -Roberto -- Roberto C. Sánchez
