[Secure-testing-team] Bug#584653: CVE-2010-2055

Michael Gilbert michael.s.gilbert at gmail.com
Fri Dec 10 21:05:09 UTC 2010


On Fri, 10 Dec 2010 21:24:57 +0100, Jonas Smedegaard wrote:
> On Fri, Dec 10, 2010 at 07:45:18PM +0100, Moritz Muehlenhoff wrote:
> >On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:
> >> I've isolated and applied the patches needed to fix CVE-2010-2055 in
> >> ghostscript.  See attached debdiff.
> >>
> >> Would anyone be so kind to sponsor this?  The package is at:
> >> http://mentors.debian.net/debian/pool/main/g/ghostscript/
> >
> >I don't have time to sponsor this currently, but this should be
> >uploaded with urgency=low, since there's the potential that
> >applications rely on the old, broken behaviour.
> >
> >I also remember that Jonas is still considering to introduce
> >Ghostscript 9.0 into Squeeze. Jonas, what's the current status?
> 
> Michael is right - release team apparently was following my work and 
> turned it down even before formally proposing it: 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653#132
> 
> @Michael: Sorry, I won't sponsor your patch.  As stated earlier as well, 
> I consider myself incompetent juggling any more patches on top of the 
> 8.71 stack.

The patches are actually rather small.

> You are quite welcome to join the ghostscript packaging team and take 
> responsibility of it yourself - for the full duration of the next stable 
> release cycle!

What exactly do you want me to do?  I'm a DM, so I can't upload myself
(without dm-upload-allowed).  I could add that, but I still need an
initial sponsor.  In the meantime I've joined the ghostscript mailing
list and requested to join the alioth project.

Mike



More information about the Secure-testing-team mailing list