Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#62102 - [ghostscript] CVE-2019-3835, CVE-2019-3838

Attached to Project: Arch Linux
Opened by Pascal E. (hardfalcon) - Thursday, 21 March 2019, 16:04 GMT
Last edited by Andreas Radke (AndyRTR) - Thursday, 04 April 2019, 19:34 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Andreas Radke (AndyRTR)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Thursday, 04 April 2019, 19:34 GMT
Reason for closing:  Fixed
Additional comments about closing:  9.27-1
Comment by Santiago Torres (sangy) - Thursday, 21 March 2019, 16:20 GMT Comment by Andreas Radke (AndyRTR) - Thursday, 21 March 2019, 17:13 GMT
The patches do not cleanly apply to 9.26 - just asking upstream if the will push some backport to 9.26 release again. 9.27 is in testing status and may need some more time until release.
Comment by Andreas Radke (AndyRTR) - Thursday, 21 March 2019, 17:16 GMT
Upstream is not going to backport anything this time.
Comment by Jake Kreiger (Magali75) - Friday, 22 March 2019, 13:25 GMT
Maybe you could split ghostscript package to 'ghostscript' + 'libgs' and use only the latter as dependency for others packages (the former could be an optional one). This way users could get rid of ghostscript binaries.

Also it may be worth to build ImageMagick with `--without-gslib'. It will allow replacing https://git.archlinux.org/svntogit/packages.git/tree/trunk/IM7-GS-policy.patch?h=packages/imagemagick with <policy domain="delegate" rights="none" pattern="gs" /> as a more bearable workaround for users.

Loading...