Web lists-archives.com

Re: latest Stretch update breaks Scribus!

On Sun, Nov 18, 2018 at 11:19:00AM -0500, Gary Dale wrote:
> This is one of the those WTF moments. Despite the fact that Ghostscript 9.25
> has been known to break Scribus since at least the start of the month, the
> Stable version of Ghostscript has just been changed from 9.22 to 9.25.
Of course, the world does not revolve around Scribus.

> This was apparently done to patch a security hole - possibly
> https://www.cvedetails.com/cve/CVE-2018-10194/ found in 2018-04-18. However
> it seems to me that the cure is worse than the disease since it now renders
> an important (for me, anyway) application useless. Instead I need to keep
> the old version of Ghostscript on my laptop in order to be able to import
> EPS & PDF files and export the document to PDF.
The complete changelog [0] for the new version shows that there were
lots of changes.

> I recognize that there is no perfect solution to this problem but breaking
> an existing program should not be allowed within the Stable branch.
Though I was not involved in this particular decision, I have been
involved in some of Debian's security work.  There are occasions where
the security team must balance the impact of a fix against users.  There
are instances where the decision is made (based on severity of
vulnerability, likelihood of exploitation, exploitability via remote
means, availability of work arounds, and other factors) to not fix
something because the fix is too intrusive (and may break something).
There are other occasions where the decision is made to make a fix that
might introduce some breakage along with it, because the vulnerability
is of a severity that justifies that.

Breaking existing applications is not taken lightly and the security
goes to great lengths to prevent breakage altogether or to minimize
breakage when avoidance is not possible.

> I'm glad that I luckily created a virtual machine running Stretch just as
> the upgrade to Ghostscript was added to Stable so that I can stop it from
> affecting my laptop. At least I still have a machine that can handle Scribus
> documents containing PDFs. However I believe the maintainers should roll
> back the update until they have a version that works with Scribus.

According to the package tracker [1] version 9.20~dfsg-3.2+deb9u5 is
still available in stretch.  That means that those previous version
packages are still installable on your system.  You can do something

apt-get install ghostscript=9.20~dfsg-3.2+deb9u5 libgs9=9.20~dfsg-3.2+deb9u5 libgs9-common=9.20~dfsg-3.2+deb9u5

If you have other GS packages installed (e.g., ghostscript-x, libgs-dev,
etc.) then you will need to include them in the command.

Once you have done that, put them on hold in whatever package manager(s)
you use.  The procedure varies based on the particular package manager,
so you should consult the documentation.  In any event, the "hold"
status will prevent future upgrades of the packages, allowing you to
retain the functionality that you need.

You might consider contacting the security team to see if they will
reconsider, but that is very unlikely to happen.



[0] https://tracker.debian.org/news/1002381/accepted-ghostscript-925dfsg-0deb9u1-source-into-stable-embargoed-stable/
[1] https://tracker.debian.org/pkg/ghostscript

Roberto C. Sánchez