[Pkg-gmagick-im-team] Bug#964090: Please upload backport
Salvatore Bonaccorso
carnil at debian.org
Sun Dec 13 20:19:42 GMT 2020
Hi,
Cc'in the security-team alias.
On Wed, Oct 07, 2020 at 01:15:23PM -0700, Felix Lechner wrote:
> Control: tags -1 + patch
>
> Hi,
>
> > Is this because of a ghostscript vulnerability?
>
> The PDF policy restriction is also in effect on Debian stable even
> though that release ships with Ghostscript 9.27, which online sources
> suggest is safe. [1]
>
> Converting images to PDF is a very common functionality. Please
> provide a backport with the attached patch, or similar. Thanks!
It is actually unlikely for the moment that we will revert the
200-disable-ghostscript-formats.patch patch again, which was firstly
included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates
in general problems with the ghostscript handled formats, e.g. the
(new) CVE-2020-29599, cf.
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
.
We follow here only what other distributions have done earlier, I
believe SuSE has such and as well Ubuntu, from which the mentioned
patch was actually merged in in the last update, TTBOMK.
Regards,
Salvatore
More information about the Pkg-gmagick-im-team
mailing list