Web lists-archives.com

Re: latest Stretch update breaks Scribus!




On Sun, Nov 18, 2018 at 11:49:05PM -0500, Gary Dale wrote:
> > > 
> > Of course, the world does not revolve around Scribus.
> 
> No but it is a popular and important package that gives Linux a powerful
> publishing application.
> 
I agree and have been very happy with Scribus in the past when I have
needed a solid publishing application.  However, numerous other
applications also depend on ghostscript, both directly and indirectly.

> > 
> > Breaking existing applications is not taken lightly and the security
> > goes to great lengths to prevent breakage altogether or to minimize
> > breakage when avoidance is not possible.
> 
> There have been lots of security holes found in Ghostscript that seem to
> revolve around buffer overflows, which indicates to me that the Ghostscript
> developers are behind the times in their development tools. Reading the
> security notices about it makes me wonder what hasn't been found yet.
> 
There are some applications and libraries (imagemagick is another that
immediately springs to mind) that just seem to teaming with as yet
undiscovered security vulnerabilities.  I say that because the frequency
with which new issues are reported does not seem to slowing down.

I think that part of it is the advances in analysis tools.  For example,
many of the vulnerabilities I have seen reported and for which I have
either backported or developed fixes over the last year or so have been
found by fuzzing.  That is something that was not done 10 or 20 years
ago, and if it was done it was not done with the sophistication and
thoroughness seen today.

Given that codebases like ghostscript, tiff, imagemagick, and others
have been around for 20 years or more in some cases it is not surprising
that so many issues are just waiting to be discovered.

> However the security holes on the 9.20 version which was used in
> Stretch/Stable until recently have been around for a long time. Presumably
> patches were made along the way so what was different this time?
> 
That is not something that I can answer.  However, based on my
experience with some other packages I can say that there are cases where
a vulnerability is identified and it takes a long time to develop a
proper fix.  The Spectre and Meltdown vulnerabilities which were first
disclosed last year might fall into this category.  Some initial fixes
were made to address the vulnerability and as time went on, those fixes
were refined to mitigate some of the performance impact and improve on
the implementation.

I am not sure what the case was with ghostscript, but it could have been
something similar.

> > 
> > apt-get install ghostscript=9.20~dfsg-3.2+deb9u5 libgs9=9.20~dfsg-3.2+deb9u5 libgs9-common=9.20~dfsg-3.2+deb9u5
> > 
> 
> I've already hunted down the packages and installed them so my virtual
> machine's version of Scribus is working again.
> 
> Apparently the Scribus developers have fixed the incompatibility in the
> current development of 1.4.8 but Buster still uses 1.4.7.
> 
It looks like 1.4.8 has not yet been released, so it might be
unrealistic to expect that it make its way into Debian at this point.
Perhaps you can contact the package maintainer to see if there is some
way you can help speed up the process of getting 1.4.8 into Debian once
it is released.

Regards,

-Roberto

-- 
Roberto C. Sánchez