On Sun, 9 Dec 2018 at 16:46, Philip Webb <purs...@ca.inter.net> wrote: > > 181209 Marc Joliet wrote: > > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: > >> What exactly are the "security reasons" ? > >> Do they apply to a single-user system ? -- if not, > >> why is the restrictive version of the policy file installed by default > >> rather than a warning at the end of the emerge output ? > > Good question. Checking the git log, the change was mode over two commits: > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=02765dfc333e578af9e3fd525fc0067dc47d6528 > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=df7afbda6b12a68578833225e694cee011b20342 > > The commit messages point to https://www.kb.cert.org/vuls/id/332928/ > > and https://bugs.gentoo.org/664236, > > which basically explain in more detail what Mick summarized yesterday. > > It looks to me like an over-reaction to a fairly unlikely exploit. > You are protected if you don't download images from untrusted sites > or if you don't run Ghostscript as root (who would ? ). > > It's true that you can use 'img2pdf' instead, which is perhaps the solution.
More important than that, it seems the vulnerability is in ghostscript, and the vulnerable versions are not any longer even in portage, so shouldn't the change have been reverted by now? Arve
