From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#32515: GNOME thumbnailing code execution vulnerabilities
Date: Mon, 25 Feb 2019 18:39:06 -0500
Message-ID: <20190225233906.GA16808@jasmine.lan>
References: <20180823210151.GA18406@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:60448)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gyPqt-0003bB-U9
	for bug-guix@gnu.org; Mon, 25 Feb 2019 18:40:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gyPqt-0005hM-6N
	for bug-guix@gnu.org; Mon, 25 Feb 2019 18:40:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:38341)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1gyPqs-0005gJ-8d
	for bug-guix@gnu.org; Mon, 25 Feb 2019 18:40:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gyPqs-000283-2o
	for bug-guix@gnu.org; Mon, 25 Feb 2019 18:40:02 -0500
In-Reply-To: <20180823210151.GA18406@jasmine.lan>
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.32515.B32515.15511379598113@debbugs.gnu.org>
Content-Disposition: inline
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 32515@debbugs.gnu.org


--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Since this bug was filed, Ghostscript has received more scrutiny and
serious bugs continue to be found.

The recommendation of the researchers seems to be to disable and remove
Ghostscript unless a Postcript interpreter is actually necessary.

Barring that, we should keep our package up to date and try to make sure
the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
containers.

Is anyone willing to look into the GNOME thumbnailer?

--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0fJoACgkQJkb6MLrK
fwhtJhAA6BTLJaWa9YBrWBEUJ+3EMZrOYPro0BTDSpoTHPJ8rHE8Ux+8rBoJMXPb
T6zGNquqqAenrv77RTddmKUUPtPig9jCEOr7jjx6tgV0fU7GjpOp+WSv7VsTz5gZ
EnFVKo7fnf6tymZ87Anca7bCFT0PewLrcsVKPAcX7WMCO5jll1kLQ8k1zRQLk1Hh
4+iAzP35XxhBih8D/tfbRf0CboW+47IR7awVLS5W5InXVpeAVR0p/wltrKhp9Egx
Cnp8GcxR5LUBzzcLcPrdrAsOtDM/x5ak4R81wzty9b1u66/4cUyQCF+RAaHcjj8p
GIBaO4rUgXMk3PB4JZNIRO4JloD5djp6CZhjVfjACZbP6OgFPF3Dp1mF1neuMHrW
bcyCNU5PQMnDzqK0sPhFwAxRds8MXFH9PofWE90lwrwgXXrv+a8oMydJ+62UWulD
4dyKUV1MgZMJ2H7n4hyEBiC0RHIwtROjTZmHCFH4ZkQ/24h8OKZofvjSr6Ec4ffe
yhzKwjHSk4IKj9jTYNVs9MRKRMdBR87gvAxvVRm3lAwXhTrJg/oZNQqNXT4iNA50
SupiuyaOJRciNQgaSSJhBlxn9lehzTeQIZsksnY/u/LBG5IZn0KZtq2D6BMROYNA
/NaXXIBUBieA+EMaE0Kbb5BY1z+vMzY5kGej1Rfksuoh1LzFiUY=
=XooQ
-----END PGP SIGNATURE-----

--Kj7319i9nmIyA2yE--