ghostscript: does not honor -P- option

Debian Bug report logs - #584653
ghostscript: does not honor -P- option

Toggle useless messages

---

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: ghostscript
Version: 8.62.dfsg.1-3.2
Severity: grave
Tags: security

This is a different issue than ghostscript defaulting -P and not -P-,
for which I'll file an other bug report.

Ghostscript does not honor -P- for postscript system libraries.

As gs_init.ps is such an file that is also responsible for all -dSAFER
options, having such a file in the current directory means the contents
of that file are executed with full privileges.

$ ls doh
ls: cannot access doh: No such file or directory
$ cat gs_init.ps
862
(doh) (w) file
$ /usr/bin/gs -P- -dSAFER
$ ls doh
doh

(Note that for different versions of gs you need to change the number in
the first line).

See also
http://bugs.ghostscript.com/show_bug.cgi?id=691350
and
http://www.openwall.com/lists/oss-security/2010/05/29/2

	Bernhard R. Link

---

Message #10 received at 584653@bugs.debian.org (full text, mbox, reply):

Seems that bug
  http://bugs.debian.org/583183
(which is now archived, un-changeable) or maybe one of the "derivatives"
  http://bugs.debian.org/584653
  http://bugs.debian.org/584663
  http://bugs.debian.org/584667
is being tracked as CVE-2010-2055.

Another somewhat useful reference is
  https://bugzilla.redhat.com/show_bug.cgi?id=599564

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

---

Message #15 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

The attached patches are taken from the upstream repository. r11352 has 
been backported to GPL ghostscript 8.71. The other patch file contains 
the documentation update done by upstream.


Greetings

Markus Steinborn
GNU gv maintainer

[11390+11496.patch (text/x-patch, attachment)]

[ghostscript-11352.patch (text/x-patch, attachment)]

---

Message #20 received at 584653@bugs.debian.org (full text, mbox, reply):

I wonder if this is now fixed upstream:
http://bugs.ghostscript.com/show_bug.cgi?id=691350#c19

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

---

Message #27 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

tags 584653 + patch
thanks

fix patch attached.

http://svn.ghostscript.com/viewvc/trunk/gs/Resource/Init/gs_res.ps?r1=11510&r2=11515&view=patch
-- 
Regards,
	dai

GPG Fingerprint = 0B29 D88E 42E6 B765 B8D8 EA50 7839 619D D439 668E

[ghostscript-584653.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

---

Message #34 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

tags 584653 + patch
thanks

The previous patch does not fix this bug completely .

Complete patch to fix CVE-2010-2055 attached.


Kind Regards,

-- 
Julián Moreno Patiño
Registered GNU Linux User ID 488513
PGP KEY ID 6168BF60

[Message part 2 (text/html, inline)]

[1010_CVE-2010-2055.patch (application/octet-stream, attachment)]

---

Message #39 received at 584653@bugs.debian.org (full text, mbox, reply):

Hi,

I forget it, the Patch only apply to squeeze-sid version.


Kind Regards,

-- 
Julián Moreno Patiño
Registered GNU Linux User ID 488513
PGP KEY ID 6168BF60

---

Message #44 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Julián,

On Sun, Oct 24, 2010 at 10:09:27PM -0500, Julián Moreno Patiño wrote:
>Hi Jonas Smedegaard,

Fine that you contact me privately (since I have been silent at the 
bugreport), but please keep the bugreport in the loop too.

I take the liberty of responding via the bugreports, as I see no need 
for discretion in your post.


>I did a NMU package to close 584653, could you give me permission about
>this?
>Moreover I think that bug 584663 is the same bug 584653, could you merge
>this into bts?

Doing an NMU implies taking the responsibility of keeping an eye on the 
NMUed package and take care of fixing potential collateral damage caused 
by that NMU.

Are you willing and feel competent to take that responsibility here?

I am not, myself, willing to cherry-pick any more patches from upstream.  
The pile is too big already, and some bugreports have emerged about 
problems supposedly fixed by some of it but not working - most likely 
due to missing some parts.

As I told Moritz (in another private mail, unfortunately) my intention 
is to package the new upstream release of Ghostscript and try convince 
the release team to accept that for Squeeze.  I told him this a few 
weeks ago (IIRC) and still haven't found the time to finish it, partly 
due to my laptop often overheating and shutting off without warning 
these days :-(

If not acceptable, I strongly consider to step down as Ghostscript 
maintainer: It has turned out to not be a team effort after all - we 
have not been 3 persons working together on this the last year, but only 
me.  I cannot continue to manage that burden.


So there you go: Consider for yourself, don't expect a blessing from me.


Kind regards, and sorry for the silence,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #49 received at 584653@bugs.debian.org (full text, mbox, reply):

Dear Julián,

> ... I think that bug 584663 is the same bug 584653 ...

Sorry no, they are NOT the same bug. Bug 584653 is about things being
wrong even if you explicitly use the option "-P-". Bug 584663 is about
changing the default behaviour from the unsafe "-P" to the (hopefully
working, secure) "-P-".

(These bugs are related. I had tried to report them as the "one thing"
bug 583183, but that did not get very far...)

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

---

Message #54 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

I take the liberty of responding via the bugreports, as I see no need for
> discretion in your post.


Fine +1

>
>
>
>  I did a NMU package to close 584653, could you give me permission about
>> this?
>> Moreover I think that bug 584663 is the same bug 584653, could you merge
>> this into bts?
>>
>
> Doing an NMU implies taking the responsibility of keeping an eye on the
> NMUed package and take care of fixing potential collateral damage caused by
> that NMU.
>
> Are you willing and feel competent to take that responsibility here?
>
> I am not, myself, willing to cherry-pick any more patches from upstream.
>  The pile is too big already, and some bugreports have emerged about
> problems supposedly fixed by some of it but not working - most likely due to
> missing some parts.
>
>
Basically, the real work was done by Tim Waugh from redhat security Team,
only I imported and adapted two patches from:

http://pkgs.fedoraproject.org/gitweb/?p=ghostscript.git;a=shortlog;h=refs/tags/ghostscript-8.71-14.fc14

In relation to:
https://bugzilla.redhat.com/show_bug.cgi?id=599564

To be more specific:
ghostscript-SEARCH_HERE_FIRST.patch
ghostscript--P-.patch

Please check out:

http://mentors.debian.net/debian/pool/main/g/ghostscript/ghostscript_8.71~dfsg2-6.1.dsc

Kind Regards,

-- 
Julián Moreno Patiño
Registered GNU Linux User ID 488513
PGP KEY ID 6168BF60

[Message part 2 (text/html, inline)]

---

Message #59 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, Oct 26, 2010 at 05:11:46PM -0500, Julián Moreno Patiño wrote:
>>> I did a NMU package to close 584653, could you give me permission 
>>> about this?
>>> Moreover I think that bug 584663 is the same bug 584653, could you 
>>> merge this into bts?
>>>
>>
>> Doing an NMU implies taking the responsibility of keeping an eye on 
>> the NMUed package and take care of fixing potential collateral damage 
>> caused by that NMU.
>>
>> Are you willing and feel competent to take that responsibility here?
>>
>> I am not, myself, willing to cherry-pick any more patches from 
>> upstream.
>>  The pile is too big already, and some bugreports have emerged about 
>> problems supposedly fixed by some of it but not working - most likely 
>> due to missing some parts.
>>
>>
>Basically, the real work was done by Tim Waugh from redhat security Team,

[snip]
>Please check out:

No, I won't.

I will not take responsibility of any more patches on top of the current 
pile, which I am to blame for but which makes current code unlike any 
upstream release and therefore unlikely to to be reliably comparable to 
that of other distributions either.

NMU means *you* take the responsibility, not me.

So stop trying to convince me.


Sorry if I did not make that clear enough before.


Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #64 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, Oct 23, 2010 at 06:01:27PM -0500, Julián Moreno Patiño wrote:
>The previous patch does not fix this bug completely .
>
>Complete patch to fix CVE-2010-2055 attached.

Hi Julián and others,

I now completed packaging a new upstream release of ghostscript targeted 
experimental - it is currently waiting in NEW queue.

I would very much appreciate if you could help verify that this newer 
ghostscript packaging properly solves this bug, and if not then help 
prepare a patch with the remaining parts.

If you are interested in using the new package, I have backported it and 
made it available here:

deb http://debian.jones.dk/ sid printing
deb http://debian.jones.dk/ squeeze printing

You need only add one of the lines - the one matching your system.
The backports are compiled for i386 and amd64.



Regards,

- Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #69 received at 584653@bugs.debian.org (full text, mbox, reply):

I used the "doh" recipe to reproduce the bug on sid. That works fine.

I just installed ghostscript 9.0 from Jonas's repositories. That recipe no 
longer reproduces the bug.

-- Asheesh.

---

Message #74 received at 584653-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 9.00~dfsg-1

On Mon, Nov 15, 2010 at 11:38:30PM -0500, Asheesh Laroia wrote:
>I used the "doh" recipe to reproduce the bug on sid. That works fine.
>
>I just installed ghostscript 9.0 from Jonas's repositories. That 
>recipe no longer reproduces the bug.

This is great news.

Thanks a lot for your help testing this!

For completeness sake, could you please tell on which version of Debian 
(squeeze, sid) you tested this?


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #84 received at 584653@bugs.debian.org (full text, mbox, reply):

On Tue, 16 Nov 2010, Jonas Smedegaard wrote:

> Version: 9.00~dfsg-1
>
> On Mon, Nov 15, 2010 at 11:38:30PM -0500, Asheesh Laroia wrote:
>> I used the "doh" recipe to reproduce the bug on sid. That works fine.
>> 
>> I just installed ghostscript 9.0 from Jonas's repositories. That recipe no 
>> longer reproduces the bug.
>
> This is great news.
>
> Thanks a lot for your help testing this!
>
> For completeness sake, could you please tell on which version of Debian 
> (squeeze, sid) you tested this?

sid, for what it's worth!

---

Message #89 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, Nov 16, 2010 at 09:23:39AM -0500, Asheesh Laroia wrote:
>On Tue, 16 Nov 2010, Jonas Smedegaard wrote:
>
>>Version: 9.00~dfsg-1
>>
>>On Mon, Nov 15, 2010 at 11:38:30PM -0500, Asheesh Laroia wrote:
>>>I used the "doh" recipe to reproduce the bug on sid. That works fine.
>>>
>>>I just installed ghostscript 9.0 from Jonas's repositories. That 
>>>recipe no longer reproduces the bug.
>>
>>This is great news.
>>
>>Thanks a lot for your help testing this!
>>
>>For completeness sake, could you please tell on which version of 
>>Debian (squeeze, sid) you tested this?
>
>sid, for what it's worth!

Thanks!


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #94 received at 584653@bugs.debian.org (full text, mbox, reply):

Dear Jonas,

> ... I have backported it ...
> deb http://debian.jones.dk/ squeeze printing

I have now upgraded a machine to squeeze and tried your
ghostscript 9.00~dfsg-1~0jones1
package, it works perfectly, thanks.

Will this make it into squeeze? Seems not, being a backport.
Should not this bug #584653 be left open (not "done"), as a
reminder that squeeze is insecure? Or maybe, that is tracked
in some way I am not aware of.

Seems to me that in your package, the default is -P- (not -P).
Should not this be mentioned in bug #584663 ?

Could your package include the patch for bug #592569 also,
to have -dSAFER as default?

Thanks, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

---

Message #99 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sun, Nov 21, 2010 at 07:39:16 +1100, paul.szabo@sydney.edu.au wrote:

> Will this make it into squeeze? Seems not, being a backport.
> Should not this bug #584653 be left open (not "done"), as a
> reminder that squeeze is insecure? Or maybe, that is tracked
> in some way I am not aware of.
> 
See the version graph at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653
The affected versions seem to be marked correctly.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

---

Message #104 received at 584653@bugs.debian.org (full text, mbox, reply):

Dear Julien,

>> Will this make it into squeeze? ...
> See the version graph at
> http://bugs.debian.org/584653
> The affected versions seem to be marked correctly.

What I was asking... When the squeeze release is being put together
and they look at ghostscript, will they say:
  1 - The bug is done, ghostscript is OK.
  2 - Version 8.71 has a grave i.e. RC bug, must upgrade to 9.00.
(or something else)? Your reply suggests that they will choose "2",
in effect assuring me that this will make it into squeeze.

Thanks, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

---

Message #109 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Paul,

On Sun, Nov 21, 2010, paul.szabo@sydney.edu.au wrote:
>> ... I have backported it ...
>> deb http://debian.jones.dk/ squeeze printing
>
>I have now upgraded a machine to squeeze and tried your
>ghostscript 9.00~dfsg-1~0jones1
>package, it works perfectly, thanks.

Great!  Thanks for the feedback!


>Will this make it into squeeze? Seems not, being a backport.

8.71~dfsg2-6 is in testing, but contains RC bugs.

9.00~dfsg-1 is in experimental: Will never be part of a release.

9.00~dfsg-1~0jones1 is unofficial: Will never enter Debian.

Thanks to positive feedback from you and others, I intend to release 
9.00~dfsg-2 targeted unstable, and then ask the Release Team for a 
freeze exception to let it into testing.

So these are possible scenarios for Ghostscript in Squeeze:

 a) 9.00~dfsg-2 (if approved by Release team and no new bugs found)
 b) 8.71~dfsg2-7 (if someone steps up to package AND MAINTAIN it)
 c) 8.71~dfsg2-6 (if Release team choose to ignore the RC bugs)
 d) none (if Release team choose to drop ghostscript from Squeeze)

I consider c) and d) as highly unlikely.


>Should not this bug #584653 be left open (not "done"), as a
>reminder that squeeze is insecure? Or maybe, that is tracked
>in some way I am not aware of.

As Julien correctly points out, the "done" marking included a version 
hint, so when telling the BTS that you are interested in Squeeze, it 
will properly show the bug as still not closed there.  Thanks for your 
concern, though! :-)


>Seems to me that in your package, the default is -P- (not -P).
>Should not this be mentioned in bug #584663 ?
>
>Could your package include the patch for bug #592569 also, to have 
>-dSAFER as default?

Let's discuss these issues at the particular bugreports.

I really appreciate your persistence!! :-)


- Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #114 received at 584653@bugs.debian.org (full text, mbox, reply):

If I'm reading this discussion right, you expect someone else to apply
the attached patches and then assume responsibility for the entire
package since you're unwilling maintain it if it has any more patches?
 That seems a bit extreme, but I will take a look at doing so when I
find some time.  It looks like the release team won't be accepting the
version in experimental due to the rather large diff.

Best wishes,
Mike

---

Message #122 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Michael,

On Fri, Nov 26, 2010 at 10:43:56PM -0500, Michael Gilbert wrote:
>If I'm reading this discussion right, you expect someone else to apply 
>the attached patches and then assume responsibility for the entire 
>package since you're unwilling maintain it if it has any more patches?
> That seems a bit extreme, but I will take a look at doing so when I
>find some time.

Do you consider joining the ghostscript team?  That'd be great!


>It looks like the release team won't be accepting the version in 
>experimental due to the rather large diff.

One way to find out is by asking them.

My plan is to ask when I have a package that works - i.e. fix bug#575798 
(and disable FAPI again, to closer match earlier release).  But since 
your plan is different, I suggest you ask _now_, before you spend time 
on keeping the massively patched old release, if the release team might 
consider approving the newer release wich includes upstream maintainance 
of those same patches.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #127 received at 584653@bugs.debian.org (full text, mbox, reply):

On Sat, 27 Nov 2010 11:54:52 +0100 Jonas Smedegaard wrote:

> Hi Michael,
> 
> On Fri, Nov 26, 2010 at 10:43:56PM -0500, Michael Gilbert wrote:
> >If I'm reading this discussion right, you expect someone else to apply 
> >the attached patches and then assume responsibility for the entire 
> >package since you're unwilling maintain it if it has any more patches?
> > That seems a bit extreme, but I will take a look at doing so when I
> >find some time.
> 
> Do you consider joining the ghostscript team?  That'd be great!
> 
> 
> >It looks like the release team won't be accepting the version in 
> >experimental due to the rather large diff.
> 
> One way to find out is by asking them.
> 
> My plan is to ask when I have a package that works - i.e. fix bug#575798 
> (and disable FAPI again, to closer match earlier release).  But since 
> your plan is different, I suggest you ask _now_, before you spend time 
> on keeping the massively patched old release, if the release team might 
> consider approving the newer release wich includes upstream maintainance 
> of those same patches.

Just curious why you haven't asked them yourself yet?  It is your
package after all.

Mike

---

Message #132 received at 584653@bugs.debian.org (full text, mbox, reply):

On 11/27/2010 11:54 AM, Jonas Smedegaard wrote:
> 
> On Fri, Nov 26, 2010 at 10:43:56PM -0500, Michael Gilbert wrote:
>> It looks like the release team won't be accepting the version in 
>> experimental due to the rather large diff.
> 
> One way to find out is by asking them.
> 
> My plan is to ask when I have a package that works - i.e. fix 
> bug#575798 (and disable FAPI again, to closer match earlier
> release). But since your plan is different, I suggest you ask _now_,
> before you spend time on keeping the massively patched old release,
> if the release team might consider approving the newer release wich
> includes upstream maintainance of those same patches.
> 

We prefer targeted fixes against the version currently sitting in Squeeze.
The diff between experimental and testing is really huge and we won't be
able to review it or accept it, I'm afraid. (especially so late in the
freeze).

Regards,

-- 
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/

---

Message #137 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, Nov 27, 2010 at 10:41:39PM +0100, Mehdi Dogguy wrote:
>On 11/27/2010 11:54 AM, Jonas Smedegaard wrote:
>>
>> On Fri, Nov 26, 2010 at 10:43:56PM -0500, Michael Gilbert wrote:
>>> It looks like the release team won't be accepting the version in 
>>> experimental due to the rather large diff.
>>
>> One way to find out is by asking them.
>>
>> My plan is to ask when I have a package that works - i.e. fix 
>> bug#575798 (and disable FAPI again, to closer match earlier release). 
>> But since your plan is different, I suggest you ask _now_, before you 
>> spend time on keeping the massively patched old release, if the 
>> release team might consider approving the newer release wich includes 
>> upstream maintainance of those same patches.
>>
>
>We prefer targeted fixes against the version currently sitting in 
>Squeeze. The diff between experimental and testing is really huge and 
>we won't be able to review it or accept it, I'm afraid. (especially so 
>late in the freeze).

Thanks for clarifying that there is no(!) chance of accepting the newer 
upstream release for Squeeze.

Great then that Michael (hopefully) steps in and takes responsibility of 
handling this more elegantly than I have been capable of.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #142 received at 584653@bugs.debian.org (full text, mbox, reply):

Dear Mehdi,

> We prefer targeted fixes ...
> ... we won't be able to review [gs 9.00] or accept it ...

Supposing that those "targeted fixes" may not happen. Would you then
release gs 8.71 with a grave (= RC) bug? Or would you drop gs, or delay
squeeze? I am genuinely curious.

Thanks, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

---

Message #147 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

So, to clarify, does that mean that this 6 month old [1] security problem
which was deemed too difficult to fix by the stable security team [2] will
be around for the next 2 years because the only available fix does not make
it into stable? [3]

[1] http://www.securityfocus.com/archive/1/511433
[2] http://security-tracker.debian.org/tracker/CVE-2010-2055
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

---

Message #152 received at 584653@bugs.debian.org (full text, mbox, reply):

Arne mentioned 
http://security-tracker.debian.org/tracker/CVE-2010-2055
and in there, I see:
 - Bug #592569 is referenced. Surely wrong: that CVE pre-dates my
   request to make -dSAFER the default, was about -P- and similar.
 - "experimental 9.00~dfsg-2 vulnerable" whereas bugs #584653 and
   #584663 are marked "Fixed in version 9.00~dfsg-1".

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

---

Message #157 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

I've isolated and applied the patches needed to fix CVE-2010-2055 in
ghostscript.  See attached debdiff.

Would anyone be so kind to sponsor this?  The package is at:
http://mentors.debian.net/debian/pool/main/g/ghostscript/

Mike

[ghostscript.debdiff (application/octet-stream, attachment)]

---

Message #162 received at 584653@bugs.debian.org (full text, mbox, reply):

On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:
> I've isolated and applied the patches needed to fix CVE-2010-2055 in
> ghostscript.  See attached debdiff.
> 
> Would anyone be so kind to sponsor this?  The package is at:
> http://mentors.debian.net/debian/pool/main/g/ghostscript/

I don't have time to sponsor this currently, but this should be
uploaded with urgency=low, since there's the potential that
applications rely on the old, broken behaviour.

I also remember that Jonas is still considering to introduce
Ghostscript 9.0 into Squeeze. Jonas, what's the current status?

Cheers,
        Moritz

---

Message #167 received at 584653@bugs.debian.org (full text, mbox, reply):

On Fri, 10 Dec 2010 19:45:18 +0100, Moritz Muehlenhoff wrote:
> On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:
> > I've isolated and applied the patches needed to fix CVE-2010-2055 in
> > ghostscript.  See attached debdiff.
> > 
> > Would anyone be so kind to sponsor this?  The package is at:
> > http://mentors.debian.net/debian/pool/main/g/ghostscript/
> 
> I don't have time to sponsor this currently, but this should be
> uploaded with urgency=low, since there's the potential that
> applications rely on the old, broken behaviour.
> 
> I also remember that Jonas is still considering to introduce
> Ghostscript 9.0 into Squeeze. Jonas, what's the current status?

The release team said that the diff was unreviewable and said no.

Mike

---

Message #172 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, Dec 10, 2010 at 07:45:18PM +0100, Moritz Muehlenhoff wrote:
>On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:
>> I've isolated and applied the patches needed to fix CVE-2010-2055 in
>> ghostscript.  See attached debdiff.
>>
>> Would anyone be so kind to sponsor this?  The package is at:
>> http://mentors.debian.net/debian/pool/main/g/ghostscript/
>
>I don't have time to sponsor this currently, but this should be
>uploaded with urgency=low, since there's the potential that
>applications rely on the old, broken behaviour.
>
>I also remember that Jonas is still considering to introduce
>Ghostscript 9.0 into Squeeze. Jonas, what's the current status?

Michael is right - release team apparently was following my work and 
turned it down even before formally proposing it: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653#132

@Michael: Sorry, I won't sponsor your patch.  As stated earlier as well, 
I consider myself incompetent juggling any more patches on top of the 
8.71 stack.

You are quite welcome to join the ghostscript packaging team and take 
responsibility of it yourself - for the full duration of the next stable 
release cycle!

The packaging currently in experimental contains the minimal changeset I 
felt comfortable releasing for Debian Squeeze.  Now that it has been 
turned down, my plan is to use the experimental branch for a continued 
improvements cherry-picked from upstream VCS.  If the release team 
should change their minds, it is easy for me to revive the current work 
and release it for unstable - if not (or the release of Squeeze) I will 
avoid the unstable branch.


Kind regards, and thanks anyway for your contribution,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #177 received at 584653@bugs.debian.org (full text, mbox, reply):

On Fri, 10 Dec 2010 21:24:57 +0100, Jonas Smedegaard wrote:
> On Fri, Dec 10, 2010 at 07:45:18PM +0100, Moritz Muehlenhoff wrote:
> >On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:
> >> I've isolated and applied the patches needed to fix CVE-2010-2055 in
> >> ghostscript.  See attached debdiff.
> >>
> >> Would anyone be so kind to sponsor this?  The package is at:
> >> http://mentors.debian.net/debian/pool/main/g/ghostscript/
> >
> >I don't have time to sponsor this currently, but this should be
> >uploaded with urgency=low, since there's the potential that
> >applications rely on the old, broken behaviour.
> >
> >I also remember that Jonas is still considering to introduce
> >Ghostscript 9.0 into Squeeze. Jonas, what's the current status?
> 
> Michael is right - release team apparently was following my work and 
> turned it down even before formally proposing it: 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653#132
> 
> @Michael: Sorry, I won't sponsor your patch.  As stated earlier as well, 
> I consider myself incompetent juggling any more patches on top of the 
> 8.71 stack.

The patches are actually rather small.

> You are quite welcome to join the ghostscript packaging team and take 
> responsibility of it yourself - for the full duration of the next stable 
> release cycle!

What exactly do you want me to do?  I'm a DM, so I can't upload myself
(without dm-upload-allowed).  I could add that, but I still need an
initial sponsor.  In the meantime I've joined the ghostscript mailing
list and requested to join the alioth project.

Mike

---

Message #182 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, Dec 10, 2010 at 04:05:09PM -0500, Michael Gilbert wrote:
>On Fri, 10 Dec 2010 21:24:57 +0100, Jonas Smedegaard wrote:
[snip]
>> >On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:
>> >> I've isolated and applied the patches needed to fix CVE-2010-2055 
>> >> in ghostscript.  See attached debdiff.
>> >>
>> >> Would anyone be so kind to sponsor this?  The package is at: 
>> >> http://mentors.debian.net/debian/pool/main/g/ghostscript/
[snip]
>> @Michael: Sorry, I won't sponsor your patch.  As stated earlier as 
>> well, I consider myself incompetent juggling any more patches on top 
>> of the 8.71 stack.
>
>The patches are actually rather small.

Still.  Most of the 55 existing patches are rather small as well.  It 
all adds up.


>> You are quite welcome to join the ghostscript packaging team and take 
>> responsibility of it yourself - for the full duration of the next 
>> stable release cycle!
>
>What exactly do you want me to do?

I want you not only to provide a patch, but devote interest and time in 
maintaining the patched ghostscript for 2-3 years.

Not alone - I am still around - but I do hope you will be more active 
than my two other fellow maintainers: They have been silent here for 
more than a year now :-(


>I'm a DM, so I can't upload myself (without dm-upload-allowed).  I 
>could add that, but I still need an initial sponsor.

You are a DM.  That's great - as that indicates you are not new to 
maintaining packages.

What I propose is that you join a team.  Which means we work together - 
teamwork.

Sponsoring is different: It is you working on your own, and me approving 
your work.

You are right that technically I need to (initially) upload, no matter 
what we call it, but the important thing for me is that you are 
long-term committed to working on this, not just short-term "fixing a 
bug".


>In the meantime I've joined the ghostscript mailing list and requested 
>to join the alioth project.

Seems you are interested, then.  Great!

You probably requested to join the ghostscript project.  Confusingly 
that's not relevant: ghostscript git is hosted in the collab-maint 
project.  Please request membership of that (if you are not member 
already - I do not rmember if DMs are automagically member there), and 
mention as explanation that you need it to work on the ghostscript 
package.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #187 received at 584653@bugs.debian.org (full text, mbox, reply):

On Fri, 10 Dec 2010 23:19:19 +0100, Jonas Smedegaard wrote:
> Seems you are interested, then.  Great!

Yes.
 
> You probably requested to join the ghostscript project.  Confusingly 
> that's not relevant: ghostscript git is hosted in the collab-maint 
> project.  Please request membership of that (if you are not member 
> already - I do not rmember if DMs are automagically member there), and 
> mention as explanation that you need it to work on the ghostscript 
> package.

OK, so you are saying that if I push my changes to git on collab-maint
you will sponsor an upload?  Should I add dm-upload-allowed?

Mike

---

Message #192 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, Dec 10, 2010 at 05:35:57PM -0500, Michael Gilbert wrote:
>On Fri, 10 Dec 2010 23:19:19 +0100, Jonas Smedegaard wrote:
>> Seems you are interested, then.  Great!
>
>Yes.
>
>> You probably requested to join the ghostscript project.  Confusingly 
>> that's not relevant: ghostscript git is hosted in the collab-maint 
>> project.  Please request membership of that (if you are not member 
>> already - I do not rmember if DMs are automagically member there), 
>> and mention as explanation that you need it to work on the 
>> ghostscript package.
>
>OK, so you are saying that if I push my changes to git on collab-maint 
>you will sponsor an upload?  Should I add dm-upload-allowed?

No, that is not what I said.

I am interested in working together with you for the next years on this.

Are you interested in long-term maintaining ghostscript?


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #197 received at 584653@bugs.debian.org (full text, mbox, reply):

On Fri, Dec 10, 2010 at 8:18 PM, Jonas Smedegaard wrote:
> On Fri, Dec 10, 2010 at 05:35:57PM -0500, Michael Gilbert wrote:
>>
>> On Fri, 10 Dec 2010 23:19:19 +0100, Jonas Smedegaard wrote:
>>>
>>> Seems you are interested, then.  Great!
>>
>> Yes.
>>
>>> You probably requested to join the ghostscript project.  Confusingly
>>> that's not relevant: ghostscript git is hosted in the collab-maint project.
>>>  Please request membership of that (if you are not member already - I do not
>>> rmember if DMs are automagically member there), and mention as explanation
>>> that you need it to work on the ghostscript package.
>>
>> OK, so you are saying that if I push my changes to git on collab-maint you
>> will sponsor an upload?  Should I add dm-upload-allowed?
>
> No, that is not what I said.
>
> I am interested in working together with you for the next years on this.
>
> Are you interested in long-term maintaining ghostscript?

I am willing to help support the stable version with these changes,
and I will help out where I can with whatever goes into
unstable/testing in the future.  I can't speak to retaining a
long-term interest, but I do want a secure version of ghostscript on
my systems, so I will want to work on security support for the
foreseeable future.

Please clearly explain what you want me to do.  If you don't want me
to push my changes to your git repo, and you won't sponsor an nmu, and
you won't patch it on your own, then what can be done to fix the
problem?

Best wishes,
Mike

---

Message #202 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, Dec 10, 2010 at 09:37:56PM -0500, Michael Gilbert wrote:
>On Fri, Dec 10, 2010 at 8:18 PM, Jonas Smedegaard wrote:
>> On Fri, Dec 10, 2010 at 05:35:57PM -0500, Michael Gilbert wrote:
>>>
>>> On Fri, 10 Dec 2010 23:19:19 +0100, Jonas Smedegaard wrote:
>>>>
>>>> Seems you are interested, then.  Great!
>>>
>>> Yes.
>>>
>>>> You probably requested to join the ghostscript project. 
>>>>  Confusingly that's not relevant: ghostscript git is hosted in the 
>>>> collab-maint project.  Please request membership of that (if you 
>>>> are not member already - I do not rmember if DMs are automagically 
>>>> member there), and mention as explanation that you need it to work 
>>>> on the ghostscript package.
>>>
>>> OK, so you are saying that if I push my changes to git on 
>>> collab-maint you will sponsor an upload?  Should I add 
>>> dm-upload-allowed?
>>
>> No, that is not what I said.
>>
>> I am interested in working together with you for the next years on 
>> this.
>>
>> Are you interested in long-term maintaining ghostscript?
>
>I am willing to help support the stable version with these changes, and 
>I will help out where I can with whatever goes into unstable/testing in 
>the future.  I can't speak to retaining a long-term interest, but I do 
>want a secure version of ghostscript on my systems, so I will want to 
>work on security support for the foreseeable future.

Great.

Perhaps that is what you meant all along.  Sorry - I just read something 
very different and potentially weaker from the term "sponsoring".


>Please clearly explain what you want me to do.  If you don't want me
>to push my changes to your git repo, and you won't sponsor an nmu, and
>you won't patch it on your own, then what can be done to fix the
>problem?

Please do push your changes and prepare a release for unstable.  That 
release will not be an NMU, though, but a real release by our team, 
including you!

But beware of Mouritz' warning: Your change may break existing 
legitimate uses of ghostscript!  And here it is your call, I won't help 
much there: I do not feel confident doing this change, you do.  So you 
figure it out.  Ok?

I will help you get comfortable with the git repository and the 
packaging style (CDBS, source 3.0 (quit) and git-buildpackage is used).  

You then decide what patches to add targeted Squeeze, and deal with 
any regressions.

I then help release the changes, but you are expected to follow up on 
it.


Ok?


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #207 received at 584653@bugs.debian.org (full text, mbox, reply):

On Fri, Dec 10, 2010 at 11:03 PM, Jonas Smedegaard wrote:
> Please do push your changes and prepare a release for unstable.  That
> release will not be an NMU, though, but a real release by our team,
> including you!

I created a new branch and pushed it to git called 8.71-dfsg2-7.
Please review and merge/upload if you feel comfortable with it.

> But beware of Mouritz' warning: Your change may break existing legitimate
> uses of ghostscript!  And here it is your call, I won't help much there: I
> do not feel confident doing this change, you do.  So you figure it out.  Ok?

Not that this is any guarantee, but Fedora pushed these patches into
their stable releases and didn't seem to have any regessions.  The
risky patch is the DSAFER one, which I've not included because of
that.

> I will help you get comfortable with the git repository and the packaging
> style (CDBS, source 3.0 (quit) and git-buildpackage is used).
> You then decide what patches to add targeted Squeeze, and deal with any
> regressions.
>
> I then help release the changes, but you are expected to follow up on it.

Ok, sounds good to me.

Best wishes,
Mike

---

Message #212 received at 584653@bugs.debian.org (full text, mbox, reply):

On Sun, Dec 12, 2010 at 3:31 PM, Michael Gilbert wrote:
> On Fri, Dec 10, 2010 at 11:03 PM, Jonas Smedegaard wrote:
>> Please do push your changes and prepare a release for unstable.  That
>> release will not be an NMU, though, but a real release by our team,
>> including you!
>
> I created a new branch and pushed it to git called 8.71-dfsg2-7.
> Please review and merge/upload if you feel comfortable with it.

Do you have any feedback on these changes?  If not, is there anything
else I can address thats currently holding this up?  Thanks,

Mike

---

Message #217 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

user release.debian.org@packages.debian.org
usertag 584653 squeeze-is-blocker
usertag 584663 squeeze-is-blocker
kthxbye

On Fri, Dec 17, 2010 at 20:15:19 -0500, Michael Gilbert wrote:

> On Sun, Dec 12, 2010 at 3:31 PM, Michael Gilbert wrote:
> > On Fri, Dec 10, 2010 at 11:03 PM, Jonas Smedegaard wrote:
> >> Please do push your changes and prepare a release for unstable.  That
> >> release will not be an NMU, though, but a real release by our team,
> >> including you!
> >
> > I created a new branch and pushed it to git called 8.71-dfsg2-7.
> > Please review and merge/upload if you feel comfortable with it.
> 
> Do you have any feedback on these changes?  If not, is there anything
> else I can address thats currently holding this up?  Thanks,
> 
jmm says this needs to be fixed pre-release.  Tagging accordingly and
Cc:ing debian-devel per the latest release update.

I'll try and go over your changes if there's no progress in the next few
days.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

---

Message #222 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Julien,

On Thu, Dec 23, 2010 at 10:34:50PM +0100, Julien Cristau wrote:
>On Fri, Dec 17, 2010 at 20:15:19 -0500, Michael Gilbert wrote:
>
>> On Sun, Dec 12, 2010 at 3:31 PM, Michael Gilbert wrote:
>> > On Fri, Dec 10, 2010 at 11:03 PM, Jonas Smedegaard wrote:
>> >> Please do push your changes and prepare a release for unstable. 
>> >>  That release will not be an NMU, though, but a real release by 
>> >> our team, including you!
>> >
>> > I created a new branch and pushed it to git called 8.71-dfsg2-7. 
>> > Please review and merge/upload if you feel comfortable with it.
>>
>> Do you have any feedback on these changes?  If not, is there anything 
>> else I can address thats currently holding this up?  Thanks,
>>
>jmm says this needs to be fixed pre-release.  Tagging accordingly and 
>Cc:ing debian-devel per the latest release update.
>
>I'll try and go over your changes if there's no progress in the next 
>few days.

Feel free to work on it now - no need to wait:

I do not feel comfortable with further patches on top of the already 
heavily patched code in testing.

If you want to take responsibility for it, you are most welcome.


Regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #227 received at 584653@bugs.debian.org (full text, mbox, reply):

On Thu, Dec 23, 2010 at 5:14 PM, Jonas Smedegaard wrote:
> Hi Julien,
>
> On Thu, Dec 23, 2010 at 10:34:50PM +0100, Julien Cristau wrote:
>>
>> On Fri, Dec 17, 2010 at 20:15:19 -0500, Michael Gilbert wrote:
>>
>>> On Sun, Dec 12, 2010 at 3:31 PM, Michael Gilbert wrote:
>>> > On Fri, Dec 10, 2010 at 11:03 PM, Jonas Smedegaard wrote:
>>> >> Please do push your changes and prepare a release for unstable. >>
>>> >>  That release will not be an NMU, though, but a real release by >> our team,
>>> >> including you!
>>> >
>>> > I created a new branch and pushed it to git called 8.71-dfsg2-7. >
>>> > Please review and merge/upload if you feel comfortable with it.
>>>
>>> Do you have any feedback on these changes?  If not, is there anything
>>> else I can address thats currently holding this up?  Thanks,
>>>
>> jmm says this needs to be fixed pre-release.  Tagging accordingly and
>> Cc:ing debian-devel per the latest release update.
>>
>> I'll try and go over your changes if there's no progress in the next few
>> days.
>
> Feel free to work on it now - no need to wait:
>
> I do not feel comfortable with further patches on top of the already heavily
> patched code in testing.
>
> If you want to take responsibility for it, you are most welcome.

I've fixed this in a branch in your git tree [0] and volunteered to
help support it over squeeze's lifetime.  Since you haven't responded
to any of that for a few weeks now, Moritz has volunteered to review
and will probably upload my original NMU version.

Best wishes,
Mike

[0] http://git.debian.org/?p=collab-maint/ghostscript.git;a=shortlog;h=refs/heads/8.71.dfsg2-7

---

Message #232 received at 584653@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, Dec 23, 2010 at 06:26:10PM -0500, Michael Gilbert wrote:
>On Thu, Dec 23, 2010 at 5:14 PM, Jonas Smedegaard wrote:
>> Hi Julien,
>>
>> On Thu, Dec 23, 2010 at 10:34:50PM +0100, Julien Cristau wrote:
>>>
>>> On Fri, Dec 17, 2010 at 20:15:19 -0500, Michael Gilbert wrote:
>>>
>>>> On Sun, Dec 12, 2010 at 3:31 PM, Michael Gilbert wrote:
>>>> > On Fri, Dec 10, 2010 at 11:03 PM, Jonas Smedegaard wrote:
>>>> >> Please do push your changes and prepare a release for unstable. 
>>>> >> That release will not be an NMU, though, but a real release by 
>>>> >> our team, including you!
>>>> >
>>>> > I created a new branch and pushed it to git called 8.71-dfsg2-7. 
>>>> > Please review and merge/upload if you feel comfortable with it.
>>>>
>>>> Do you have any feedback on these changes?  If not, is there 
>>>> anything else I can address thats currently holding this up? 
>>>>  Thanks,
>>>>
>>> jmm says this needs to be fixed pre-release.  Tagging accordingly 
>>> and Cc:ing debian-devel per the latest release update.
>>>
>>> I'll try and go over your changes if there's no progress in the next 
>>> few days.
>>
>> Feel free to work on it now - no need to wait:
>>
>> I do not feel comfortable with further patches on top of the already 
>> heavily patched code in testing.
>>
>> If you want to take responsibility for it, you are most welcome.
>
>I've fixed this in a branch in your git tree [0] and volunteered to 
>help support it over squeeze's lifetime.  Since you haven't responded 
>to any of that for a few weeks now, Moritz has volunteered to review 
>and will probably upload my original NMU version.

Great!

Sorry for my lack of response in all this, Michael. I just really don't 
feel comfortable with that patching, and when you then passed it over to 
me with the message "...if you feel comfortable with it" I stalled. :-(


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

---

Message #237 received at 584653-close@bugs.debian.org (full text, mbox, reply):

Source: ghostscript
Source-Version: 8.71~dfsg2-6.1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-cups_8.71~dfsg2-6.1_i386.deb
  to main/g/ghostscript/ghostscript-cups_8.71~dfsg2-6.1_i386.deb
ghostscript-doc_8.71~dfsg2-6.1_all.deb
  to main/g/ghostscript/ghostscript-doc_8.71~dfsg2-6.1_all.deb
ghostscript-x_8.71~dfsg2-6.1_i386.deb
  to main/g/ghostscript/ghostscript-x_8.71~dfsg2-6.1_i386.deb
ghostscript_8.71~dfsg2-6.1.debian.tar.gz
  to main/g/ghostscript/ghostscript_8.71~dfsg2-6.1.debian.tar.gz
ghostscript_8.71~dfsg2-6.1.dsc
  to main/g/ghostscript/ghostscript_8.71~dfsg2-6.1.dsc
ghostscript_8.71~dfsg2-6.1_i386.deb
  to main/g/ghostscript/ghostscript_8.71~dfsg2-6.1_i386.deb
gs-common_8.71~dfsg2-6.1_all.deb
  to main/g/ghostscript/gs-common_8.71~dfsg2-6.1_all.deb
gs-esp_8.71~dfsg2-6.1_all.deb
  to main/g/ghostscript/gs-esp_8.71~dfsg2-6.1_all.deb
gs-gpl_8.71~dfsg2-6.1_all.deb
  to main/g/ghostscript/gs-gpl_8.71~dfsg2-6.1_all.deb
libgs-dev_8.71~dfsg2-6.1_i386.deb
  to main/g/ghostscript/libgs-dev_8.71~dfsg2-6.1_i386.deb
libgs8_8.71~dfsg2-6.1_i386.deb
  to main/g/ghostscript/libgs8_8.71~dfsg2-6.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 584653@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <michael.s.gilbert@gmail.com> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 09 Dec 2010 21:40:17 -0500
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x ghostscript-doc libgs8 libgs-dev
Architecture: source all i386
Version: 8.71~dfsg2-6.1
Distribution: unstable
Urgency: medium
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Michael Gilbert <michael.s.gilbert@gmail.com>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS filters
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor
 gs-common  - Dummy package depending on ghostscript
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 584653 584663
Changes: 
 ghostscript (8.71~dfsg2-6.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix various aspects of CVE-2010-2055:
     - Honor -P- command-line option (closes: #584653).
     - Set SEARCH_HERE_FIRST=0 by default (closes: #584663).
Checksums-Sha1: 
 7d823b1ad35c908490ef0e61ebb437f8460660cc 1810 ghostscript_8.71~dfsg2-6.1.dsc
 9afb852a093aa615c5f59751e9f6b71dea31c8c6 254916 ghostscript_8.71~dfsg2-6.1.debian.tar.gz
 70f6735a8bfc63f3aa2e339224e3bb4341d8234f 45804 gs-esp_8.71~dfsg2-6.1_all.deb
 dd0738cf1f3620b1fb166f484454dd775cd4d0d0 45802 gs-gpl_8.71~dfsg2-6.1_all.deb
 d47c6ca6ba85ef7877834c42e92ee76c721a9473 45516 gs-common_8.71~dfsg2-6.1_all.deb
 b6724132328cf3efa0b0112af67f6e8116f8ef6d 3229586 ghostscript-doc_8.71~dfsg2-6.1_all.deb
 72c8e99c3f4c67d68f3e5f8fb51889c01d148cf4 4095190 ghostscript_8.71~dfsg2-6.1_i386.deb
 0c7cd8b563ddb26620b78981f6622f027592cdd8 60448 ghostscript-cups_8.71~dfsg2-6.1_i386.deb
 f8b78ce50d1b119e10889cb378f315cc5cb7e23c 78518 ghostscript-x_8.71~dfsg2-6.1_i386.deb
 478844cd45061de6f9a250cd10d1805320144c09 2086266 libgs8_8.71~dfsg2-6.1_i386.deb
 b25926526b366f2783a83eba35b63c80c3cfc762 2614006 libgs-dev_8.71~dfsg2-6.1_i386.deb
Checksums-Sha256: 
 3b3390013f81ef0285cc16f60d1a1a8c31ad9523657c0921ab0cb73b9e50ae09 1810 ghostscript_8.71~dfsg2-6.1.dsc
 944c69f208371b9c9eb68475243f3024dba4e2da430f140b424970b2601f437a 254916 ghostscript_8.71~dfsg2-6.1.debian.tar.gz
 3db927f2db2cd322b8baddfe65c9e8141164bd842e0c9a89e92442b412b8addb 45804 gs-esp_8.71~dfsg2-6.1_all.deb
 aa0d8a29061eadf2a90a5db614b8e5876fbf9b8670f13c1e5f04abcbed990805 45802 gs-gpl_8.71~dfsg2-6.1_all.deb
 7dfd2905eb00ef5e44223adfecec83ea758f68e9ed697a1ff17a64cb758ae613 45516 gs-common_8.71~dfsg2-6.1_all.deb
 01b7e77007683bbd8e11fdf89a10130d0dd094edc67a1b340f603afada732eb4 3229586 ghostscript-doc_8.71~dfsg2-6.1_all.deb
 86d82b262bfecf5be1c33528c6bc35e4c31a429027f5cda71330901af551d1f1 4095190 ghostscript_8.71~dfsg2-6.1_i386.deb
 2a31a8c2ec8545b3352b4cbcee581983d135b894fea625a179ae24100f751799 60448 ghostscript-cups_8.71~dfsg2-6.1_i386.deb
 16b45370103c41249b0d721deb2bf2d74a9a00fd8542c4035dff2f7fdbbae0eb 78518 ghostscript-x_8.71~dfsg2-6.1_i386.deb
 a8a29385faa83336c3aa8ef25ec1013bc51b2da70012c13b6b1f3f3b77b2cb59 2086266 libgs8_8.71~dfsg2-6.1_i386.deb
 0d8285d0d1f66dd1a2c5d36d4d128476ace645363488860851804b65ff598167 2614006 libgs-dev_8.71~dfsg2-6.1_i386.deb
Files: 
 7bfc69936079cf7a0d53b5f5852e07f9 1810 text optional ghostscript_8.71~dfsg2-6.1.dsc
 25204947a0aa4e355e25baa9c8756530 254916 text optional ghostscript_8.71~dfsg2-6.1.debian.tar.gz
 59d99dd6fe4aabac46c1f783d2c48384 45804 text extra gs-esp_8.71~dfsg2-6.1_all.deb
 2ba51aa5feea9a299b1528e8c00698c2 45802 text extra gs-gpl_8.71~dfsg2-6.1_all.deb
 1feca91dc3c14dba83f378fd886db5c1 45516 text extra gs-common_8.71~dfsg2-6.1_all.deb
 03268393ec22d6565daf2007adf93432 3229586 doc optional ghostscript-doc_8.71~dfsg2-6.1_all.deb
 bd89e7a579126979a005d639b50adb8e 4095190 text optional ghostscript_8.71~dfsg2-6.1_i386.deb
 67a61abdaeee4bec58b7ebbd2530fb31 60448 text optional ghostscript-cups_8.71~dfsg2-6.1_i386.deb
 898d23822bbfb977ebbb817bf4c4d0d6 78518 text optional ghostscript-x_8.71~dfsg2-6.1_i386.deb
 c59f8c7672a7275b3258b7c34d8b05f8 2086266 libs optional libgs8_8.71~dfsg2-6.1_i386.deb
 fd7a341b8442311b3f5c0dba4bdb9ead 2614006 libdevel optional libgs-dev_8.71~dfsg2-6.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0Xx+oACgkQXm3vHE4uyloRRwCgya/mbu2KyDvwiDHR72LrpZTy
T8kAoLgEJAi82cSngI73fsJdk8PhBNL3
=c6uK
-----END PGP SIGNATURE-----

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:59:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.