Secure testing team - May 2010 - Bug#583634: evince: Insecure ghostscript invocation

Package: evince
Version: 2.22.2-4~lenny1
Severity: grave
Tags: security
Justification: user security hole


Please see
  http://bugs.debian.org/583183
for details: evince seems to use ghostscript in an insecure way
when viewing PS files.

Cheers,

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages evince depends on:
ii  gconf2              2.22.0-1             GNOME configuration database syste
ii  gnome-icon-theme    2.22.0-1             GNOME Desktop icon theme
ii  libart-2.0-2        2.3.20-2             Library of functions for 2D graphi
ii  libatk1.0-0         1.22.0-1             The ATK accessibility toolkit
ii  libbonobo2-0        2.22.0-1             Bonobo CORBA interfaces library
ii  libbonoboui2-0      2.22.0-1             The Bonobo UI library
ii  libc6               2.7-18lenny2         GNU C Library: Shared libraries
ii  libcairo2           1.6.4-7              The Cairo 2D vector graphics libra
ii  libdbus-1-3         1.2.1-5+lenny1       simple interprocess messaging syst
ii  libdbus-glib-1-2    0.76-1               simple interprocess messaging syst
ii  libdjvulibre21      3.5.20-8+lenny1      Runtime support for the DjVu image
ii  libgcc1             1:4.3.2-1.1          GCC support library
ii  libgconf2-4         2.22.0-1             GNOME configuration database syste
ii  libglade2-0         1:2.6.2-1            library to load .glade files at ru
ii  libglib2.0-0        2.16.6-3             The GLib library of C routines
ii  libgnome-keyring0   2.22.3-2             GNOME keyring services library
ii  libgnome2-0         2.20.1.1-1           The GNOME 2 library - runtime file
ii  libgnomecanvas2-0   2.20.1.1-1           A powerful object-oriented display
ii  libgnomeui-0        2.20.1.1-2           The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0      1:2.22.0-5           GNOME Virtual File System (runtime
ii  libgtk2.0-0         2.12.12-1~lenny1     The GTK+ graphical user interface 
ii  libice6             2:1.0.4-1            X11 Inter-Client Exchange library
ii  libjpeg62           6b-14                The Independent JPEG
Group''s JPEG
ii  libkpathsea4        2007.dfsg.2-4+lenny2 TeX Live: path search library for 
ii  libnautilus-extensi 2.20.0-7             libraries for nautilus components 
ii  liborbit2           1:2.14.13-0.1        libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0       1.20.5-5+lenny1      Layout and rendering of internatio
ii  libpoppler-glib3    0.8.7-3              PDF rendering library (GLib-based 
ii  libpopt0            1.14-4               lib for parsing cmdline parameters
ii  libsm6              2:1.0.3-2            X11 Session Management library
ii  libspectre1         0.2.0.ds-1           Library for rendering Postscript d
ii  libstdc++6          4.3.2-1.1            The GNU Standard C++ Library v3
ii  libtiff4            3.8.2-11.2           Tag Image File Format (TIFF) libra
ii  libx11-6            2:1.1.5-2            X11 client-side library
ii  libxml2             2.6.32.dfsg-5+lenny1 GNOME XML library
ii  shared-mime-info    0.30-2               FreeDesktop.org shared MIME databa
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

Versions of packages evince recommends:
ii  dbus-x11                  1.2.1-5+lenny1 simple interprocess messaging syst

Versions of packages evince suggests:
pn  poppler-data                  <none>     (no description available)
ii  unrar                         1:3.8.2-1  Unarchiver for .rar files (non-fre

-- no debconf information