I''ve isolated and applied the patches needed to fix CVE-2010-2055 in ghostscript. See attached debdiff. Would anyone be so kind to sponsor this? The package is at: http://mentors.debian.net/debian/pool/main/g/ghostscript/ Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: ghostscript.debdiff Type: application/octet-stream Size: 21201 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101209/eb0722fb/attachment-0001.obj>
On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:> I''ve isolated and applied the patches needed to fix CVE-2010-2055 in > ghostscript. See attached debdiff. > > Would anyone be so kind to sponsor this? The package is at: > http://mentors.debian.net/debian/pool/main/g/ghostscript/I don''t have time to sponsor this currently, but this should be uploaded with urgency=low, since there''s the potential that applications rely on the old, broken behaviour. I also remember that Jonas is still considering to introduce Ghostscript 9.0 into Squeeze. Jonas, what''s the current status? Cheers, Moritz
On Fri, 10 Dec 2010 19:45:18 +0100, Moritz Muehlenhoff wrote:> On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote: > > I''ve isolated and applied the patches needed to fix CVE-2010-2055 in > > ghostscript. See attached debdiff. > > > > Would anyone be so kind to sponsor this? The package is at: > > http://mentors.debian.net/debian/pool/main/g/ghostscript/ > > I don''t have time to sponsor this currently, but this should be > uploaded with urgency=low, since there''s the potential that > applications rely on the old, broken behaviour. > > I also remember that Jonas is still considering to introduce > Ghostscript 9.0 into Squeeze. Jonas, what''s the current status?The release team said that the diff was unreviewable and said no. Mike
On Fri, Dec 10, 2010 at 07:45:18PM +0100, Moritz Muehlenhoff wrote:>On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote: >> I''ve isolated and applied the patches needed to fix CVE-2010-2055 in >> ghostscript. See attached debdiff. >> >> Would anyone be so kind to sponsor this? The package is at: >> http://mentors.debian.net/debian/pool/main/g/ghostscript/ > >I don''t have time to sponsor this currently, but this should be >uploaded with urgency=low, since there''s the potential that >applications rely on the old, broken behaviour. > >I also remember that Jonas is still considering to introduce >Ghostscript 9.0 into Squeeze. Jonas, what''s the current status?Michael is right - release team apparently was following my work and turned it down even before formally proposing it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653#132 @Michael: Sorry, I won''t sponsor your patch. As stated earlier as well, I consider myself incompetent juggling any more patches on top of the 8.71 stack. You are quite welcome to join the ghostscript packaging team and take responsibility of it yourself - for the full duration of the next stable release cycle! The packaging currently in experimental contains the minimal changeset I felt comfortable releasing for Debian Squeeze. Now that it has been turned down, my plan is to use the experimental branch for a continued improvements cherry-picked from upstream VCS. If the release team should change their minds, it is easy for me to revive the current work and release it for unstable - if not (or the release of Squeeze) I will avoid the unstable branch. Kind regards, and thanks anyway for your contribution, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101210/97aee9d7/attachment.pgp>
On Fri, 10 Dec 2010 21:24:57 +0100, Jonas Smedegaard wrote:> On Fri, Dec 10, 2010 at 07:45:18PM +0100, Moritz Muehlenhoff wrote: > >On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote: > >> I''ve isolated and applied the patches needed to fix CVE-2010-2055 in > >> ghostscript. See attached debdiff. > >> > >> Would anyone be so kind to sponsor this? The package is at: > >> http://mentors.debian.net/debian/pool/main/g/ghostscript/ > > > >I don''t have time to sponsor this currently, but this should be > >uploaded with urgency=low, since there''s the potential that > >applications rely on the old, broken behaviour. > > > >I also remember that Jonas is still considering to introduce > >Ghostscript 9.0 into Squeeze. Jonas, what''s the current status? > > Michael is right - release team apparently was following my work and > turned it down even before formally proposing it: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653#132 > > @Michael: Sorry, I won''t sponsor your patch. As stated earlier as well, > I consider myself incompetent juggling any more patches on top of the > 8.71 stack.The patches are actually rather small.> You are quite welcome to join the ghostscript packaging team and take > responsibility of it yourself - for the full duration of the next stable > release cycle!What exactly do you want me to do? I''m a DM, so I can''t upload myself (without dm-upload-allowed). I could add that, but I still need an initial sponsor. In the meantime I''ve joined the ghostscript mailing list and requested to join the alioth project. Mike