Discussion:
Fixing new ghostscript vulnerabilities
(too old to reply)
Nelson H. F. Beebe
2018-09-15 16:47:45 UTC
Permalink
I expect that several members of this list have been long time users
of the ghostscript tool suite, without ever having built it from
source code themselves. Here is a portion of a posting that I
just made to a local campus mailing list that describes why, and
...
Last weekend, to address recently discovered security vulnerabilities,
Artifex Software released ghostscript and ghostpdl versions 9.25.
I've been a ghostscript tester since 1993, and am a member of its
developers mailing list, so I was involved in the testing of that
release.
At the time of news stories about the vulnerabilities [links are in a
previous message to this list from me today], the problems had not yet
been reported to the Common Vulnerabilities and Exposures (CVE)
database at
http://cve.mitre.org/cve/
but the latest entry there today at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16802
and about a dozen very recent CVE entries discuss the flaws.
Because ghostscript and its many tools form a widely used system for
viewing and processing PDF and PostScript files (the only high-quality
platform-independent archival document display formats that we have),
because O/S vendors are far behind in their versions of that software,
and because ghostscript is likely to be installed on many campus
computers, I believe that we need to address the problem by installing
locally-built versions from the latest 9.25 (or later) software
https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
The download site has source packages, as well as prebuilt *.exe files
for installing on Microsoft Windows systems.
I prefer the ghostpdl package over the ghostscript and ghostpcl
packages, because it is a combination of both of those.
Today, on a Mac OS X 10.11 (El Capitan) system, I successfully built
% tar xfz /PATH/TO/DOWNLOAD/ghostpdl-gs9.tar.gz
# for csh / tcsh login shells
% set path=( /bin /usr/bin )
$ PATH=/bin:/usr/bin ; export PATH
% unsetenv CONFIG_SITE
% ./configure --prefix=$L && make all check
% bin/gs examples/tiger.eps
% make install
Here $L expands to our local installation tree prefix; its default, if
omitted, is /usr/local, but we have long avoided that choice, for
http://www.math.utah.edu/faq/software/software.html#FAQ-1
...
-------------------------------------------------------------------------------
- Nelson H. F. Beebe Tel: +1 801 581 5254 -
- University of Utah FAX: +1 801 581 4148 -
- Department of Mathematics, 110 LCB Internet e-mail: ***@math.utah.edu -
- 155 S 1400 E RM 233 ***@acm.org ***@computer.org -
- Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------
Loading...