Re: CVE Request - multiple ghostscript -dSAFER sandbox problems

[Tavis Ormandy <taviso () google com>]

On Wed, Oct 5, 2016 at 9:54 AM, Tavis Ormandy <taviso () google com> wrote:
> On Wed, Oct 5, 2016 at 9:47 AM, Hanno Böck <hanno () hboeck de> wrote:
> > On Wed, 5 Oct 2016 09:13:03 -0700
> > Tavis Ormandy <taviso () google com> wrote:
> >
> > > If you're using ImageMagick, I would recommend disabling the PS, EPS,
> > > PDF and XPS coders in policy.xml. Applications like gimp, evince,
> > > claws, and most other applications that generate thumbnails of PDF/PS
> > > documents should probably not do so without a prompt (NOTE: A lot of
> > > packages do this
> >
> > I was surprised to see evince in this list. It uses poppler for pdf and
> > libspectre for postscript, so there seems to be no use of
> > ghostscript (maybe in an older version).
> > Also for claws the only use of ghostscript is in a plugin that's not
> > enabled by default.
>
> It might be an old version but the version I have on RHEL7 and Ubuntu
> LTS both invoke gs by default.
>
> $ evince --version
> GNOME Document Viewer 3.14.2

Oops, I think I may be wrong about that, I just saw that some of my
test cases repro and assumed it was using ghostscript.

Maybe there are poppler issues as well, sigh.

Tavis.