[Pkg-gmagick-im-team] Bug#964090: Please upload backport
Bastien ROUCARIES
roucaries.bastien+imagemagick at gmail.com
Tue Dec 15 09:32:25 GMT 2020
Hi,
I agree with salvatore, that in general disabling pdf is the safer solution.
I am slowly recovering from work debt due to covid 19 lockdown in
France (i was locked down three month, and I could only work by night
for payjob so debian work was not done), but I will accept patch.
The solution of this tradeoff problem is a debconf question. I will accept patch
Bastien
On Sun, Dec 13, 2020 at 9:21 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
>
> Hi,
>
> Cc'in the security-team alias.
>
> On Wed, Oct 07, 2020 at 01:15:23PM -0700, Felix Lechner wrote:
> > Control: tags -1 + patch
> >
> > Hi,
> >
> > > Is this because of a ghostscript vulnerability?
> >
> > The PDF policy restriction is also in effect on Debian stable even
> > though that release ships with Ghostscript 9.27, which online sources
> > suggest is safe. [1]
> >
> > Converting images to PDF is a very common functionality. Please
> > provide a backport with the attached patch, or similar. Thanks!
>
> It is actually unlikely for the moment that we will revert the
> 200-disable-ghostscript-formats.patch patch again, which was firstly
> included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates
> in general problems with the ghostscript handled formats, e.g. the
> (new) CVE-2020-29599, cf.
> https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
More information about the Pkg-gmagick-im-team
mailing list