Leo Famulari (26 Feb 2019) wrote: > Since this bug was filed, Ghostscript has received more scrutiny and > serious bugs continue to be found.
I assume you meant ‘fixed’. > [...] > Barring that, we should keep our package up to date ghostscript can be updated to 9.54 (https://ghostscript.com/download/gsdnld.html). This will require grafts due to many depending packages. However, looking at https://bugs.ghostscript.com/buglist.cgi?order=Bug%20Number&product=Ghostscript&query_format=advanced&resolution=---&version=9.52&version=9.53.0&version=9.53.1&version=9.53.2&version=9.53.3&version=9.54.0 it seems there are no known security vulnerabilities. evince can be updated from 3.36.5 to 40.0 according to "guix refresh", that would be done in https://issues.guix.gnu.org/47643 think. > and try to make sure > the GNOME thumbnailer and other "hidden" users of Ghostscript are run in > containers. The thumbnailer is run in a container, using bubblewrap and seccomp: $ guix graph --type=references gnome-desktop > [snip] > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> > "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = > darkseagreen]; > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> > "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = > darkseagreen]; > [snip] $ EDITOR=less guix edit gnome-desktop > [snip] > ("bubblewrap" ,bubblewrap) > [snip] $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c: > [snip] > [an add_bwrap function with bind mounts and --unshare-all] > [a setup_seccomp function] > [snip] Closing. Greetings, Maxime.
signature.asc
Description: This is a digitally signed message part
