evince has +postscript in IUSE, making it the default. Postscript support is opening up evince to very dangerous code execution vulnerabilities. Given that evince also installs a thumbnailer basically viewing a directory with a malicious Postscript file is enough to gain code execution. The background is that postscript is effectively not just a document format, but a programming language. The ghostscript software has a weak "sandbox" (the -DSAFER parameter) which evince uses (through libspectre), but there's a constant flood of bugs bypassing this protection. Tavis Ormandy just published an exploit that works in the latest version of ghostscript [1]. Upstream has disabled postscript by default a while ago [2]. As a first step I think evince should disable postscript by default. But even just enabling it with USE="postscript" seems dangerous to me, as users wouldn't be aware that enabling postscript support also enables code execution vulnerabilities. Maybe renaming the use flag to "postscript-dangerous" or have some "IKNOWWHATIMDOING" var that needs to be set. [1] https://www.openwall.com/lists/oss-security/2019/01/23/5 [2] https://gitlab.gnome.org/GNOME/evince/commit/1621cacf75ebff4ab4ab0fa6855977a2d8da0ac6
ack on disabling the USE flag by default. If you consider renaming it, you most likely want to do it distribution wise though.
I am fine with changing IUSE=+postscript to just IUSE=postscript. Thumbnailers are sandboxed with gnome-desktop-3.26 and newer, except for alpha, ia64, m68k, sh and sparc. There will be no individual USE flag renaming, as this is no more insecure than all other distro-wide IUSE=postscript usages. If you ask for postscript support - you get it.
Yeah I think I'll open a separate bug how to handle the general issue. Let's just start with removing the + from evince.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88959e1e79c27822192f67bb7d65bbed4990d4aa commit 88959e1e79c27822192f67bb7d65bbed4990d4aa Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-02-23 18:34:29 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-02-23 19:38:24 +0000 app-text/evince: don't default enable postscript (security concerns) Closes: https://bugs.gentoo.org/676212 Package-Manager: Portage-2.3.52, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> app-text/evince/{evince-3.28.5.ebuild => evince-3.28.5-r1.ebuild} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)