On 09/02/2018 05:27 PM, Pavel Sanda wrote: > Daniel wrote: >>> in policy.xml so they can continue their work. >>> In longer-term -- if this ban continues -- we might try to ask Qt to do >>> the >>> conversions instead of imagemagick, but that's is definitely not for >>> 2.3.1. >>> Other ideas? >>> Pavel >>> https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/ >> There seems to be a patch for it already. >> >> https://artifex.com/news/ghostscript-security-resolved/ >> >> Hopefully distros will patch and go back to normal. > These are pacthes for the vulns reported on Aug 21, but as the original > report says: > > "These bugs were found manually, I also wrote a fuzzer and I'm working on > minimizing a very large number of testcases that I'm planning to report over > the next few days. I will just file those issues upstream and not post each > individual one here, you can monitor https://bugs.ghostscript.com/ if you > want to. I expect there to be several dozen unique bugs." > > So, not sure, we are already in the fixed state for what is coming. New bump > of ghostscript was announced to late Sept ASFAIK.
I think removing the dependency on ImageMagick would be worth doing anyway, if it could be done reasonably. For 'exotic' conversions, maybe we would still need it, but surely Qt can handle most of what we need. Riki
