gs is not called with -dSAFER because of a typo, which might allow pdf files to do evil stuff. This is fixed in version 2.05. Either dump or apply this simple patch (gained from a diff 2.04->2.05): --- fbida-2.04/fbgs 2006-04-10 09:43:01.000000000 +0200 +++ fbida-2.05/fbgs 2006-07-25 09:26:16.000000000 +0200 @@ -51,7 +51,7 @@ echo echo "### rendering pages, please wait ... ###" echo -gs -dSAVER -dNOPAUSE -dBATCH \ +gs -dSAFER -dNOPAUSE -dBATCH \ -sPDFPassword="$password" \ -sDEVICE=${device} -sOutputFile=$DIR/ps%03d.tiff \ $gsopts \
spock please bump with patch.
Fixed in CVS, thanks.
Fixed in 2.03-r4, already stable, thanks Michal. The "?" in B2? calls for a vote, I'd say this warrants a GLSA
yes does "pdf files to do evif stuff" means code execution ? (==> B2 sure)
Let's have a GLSA on this one as well.
GLSA 200608-22 thanks everybody
