FS#62102 - [ghostscript] CVE-2019-3835, CVE-2019-3838

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 21 March 2019, 16:04 GMT
Last edited by Andreas Radke (AndyRTR) - Thursday, 04 April 2019, 19:34 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Andreas Radke (AndyRTR)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Thursday, 04 April 2019, 19:34 GMT
Reason for closing:  Fixed
Additional comments about closing:  9.27-1
Comment by Santiago Torres (sangy) - Thursday, 21 March 2019, 16:20 GMT
Tracked on: https://security.archlinux.org/AVG-929
Comment by Andreas Radke (AndyRTR) - Thursday, 21 March 2019, 17:13 GMT
The patches do not cleanly apply to 9.26 - just asking upstream if the will push some backport to 9.26 release again. 9.27 is in testing status and may need some more time until release.
Comment by Andreas Radke (AndyRTR) - Thursday, 21 March 2019, 17:16 GMT
Upstream is not going to backport anything this time.
Comment by Jake Kreiger (Magali75) - Friday, 22 March 2019, 13:25 GMT
Maybe you could split ghostscript package to 'ghostscript' + 'libgs' and use only the latter as dependency for others packages (the former could be an optional one). This way users could get rid of ghostscript binaries.

Also it may be worth to build ImageMagick with `--without-gslib'. It will allow replacing https://git.archlinux.org/svntogit/packages.git/tree/trunk/IM7-GS-policy.patch?h=packages/imagemagick with <policy domain="delegate" rights="none" pattern="gs" /> as a more bearable workaround for users.

Loading...