Summary: | app-text/evince should not enable postscript by default | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2019-01-25 10:59:27 UTC
ack on disabling the USE flag by default. If you consider renaming it, you most likely want to do it distribution wise though. I am fine with changing IUSE=+postscript to just IUSE=postscript. Thumbnailers are sandboxed with gnome-desktop-3.26 and newer, except for alpha, ia64, m68k, sh and sparc. There will be no individual USE flag renaming, as this is no more insecure than all other distro-wide IUSE=postscript usages. If you ask for postscript support - you get it. Yeah I think I'll open a separate bug how to handle the general issue. Let's just start with removing the + from evince. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88959e1e79c27822192f67bb7d65bbed4990d4aa commit 88959e1e79c27822192f67bb7d65bbed4990d4aa Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-02-23 18:34:29 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-02-23 19:38:24 +0000 app-text/evince: don't default enable postscript (security concerns) Closes: https://bugs.gentoo.org/676212 Package-Manager: Portage-2.3.52, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> app-text/evince/{evince-3.28.5.ebuild => evince-3.28.5-r1.ebuild} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) |