[Pkg-gmagick-im-team] Bug#964090: Please upload backport
MJ Ray
mjr at phonecoop.coop
Tue Dec 15 12:27:02 GMT 2020
On 13 December 2020 20:19:42 UTC, Salvatore Bonaccorso <carnil at debian.org> wrote:
>Hi,
>
>Cc'in the security-team alias.
>
>It is actually unlikely for the moment that we will revert the
>200-disable-ghostscript-formats.patch patch again, which was firstly
>included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates
>in general problems with the ghostscript handled formats, e.g. the
>(new) CVE-2020-29599, cf.
>https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
>.
Does this only affect ghostscript or any action involving external commands?
Why is backtick in the whitelist?
>We follow here only what other distributions have done earlier, I
>believe SuSE has such and as well Ubuntu, from which the mentioned
>patch was actually merged in in the last update, TTBOMK.
I don't feel that is a great reason. We wouldn't have debs and so on if it was generally applicable.
Hope that helps,
MJR (mobile)
More information about the Pkg-gmagick-im-team
mailing list