[tex-live] Fixing new ghostscript vulnerabilities
Nelson H. F. Beebe
beebe at math.utah.edu
Sat Sep 15 18:47:45 CEST 2018
I expect that several members of this list have been long time users
of the ghostscript tool suite, without ever having built it from
source code themselves. Here is a portion of a posting that I
just made to a local campus mailing list that describes why, and
how, to do that:
>> ...
>> Last weekend, to address recently discovered security vulnerabilities,
>> Artifex Software released ghostscript and ghostpdl versions 9.25.
>> I've been a ghostscript tester since 1993, and am a member of its
>> developers mailing list, so I was involved in the testing of that
>> release.
>>
>> At the time of news stories about the vulnerabilities [links are in a
>> previous message to this list from me today], the problems had not yet
>> been reported to the Common Vulnerabilities and Exposures (CVE)
>> database at
>>
>> http://cve.mitre.org/cve/
>>
>> but the latest entry there today at
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16802
>>
>> and about a dozen very recent CVE entries discuss the flaws.
>>
>> Because ghostscript and its many tools form a widely used system for
>> viewing and processing PDF and PostScript files (the only high-quality
>> platform-independent archival document display formats that we have),
>> because O/S vendors are far behind in their versions of that software,
>> and because ghostscript is likely to be installed on many campus
>> computers, I believe that we need to address the problem by installing
>> locally-built versions from the latest 9.25 (or later) software
>> release. Downloads can be found here:
>>
>> https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
>>
>> The download site has source packages, as well as prebuilt *.exe files
>> for installing on Microsoft Windows systems.
>>
>> I prefer the ghostpdl package over the ghostscript and ghostpcl
>> packages, because it is a combination of both of those.
>>
>> Today, on a Mac OS X 10.11 (El Capitan) system, I successfully built
>> and installed it like this:
>>
>> % tar xfz /PATH/TO/DOWNLOAD/ghostpdl-gs9.tar.gz
>>
>> # for csh / tcsh login shells
>> % set path=( /bin /usr/bin )
>>
>> # for sh / ash / bash / dash / ksh / mksh / zsh login shells:
>> $ PATH=/bin:/usr/bin ; export PATH
>>
>> % unsetenv CONFIG_SITE
>> % ./configure --prefix=$L && make all check
>> % bin/gs examples/tiger.eps
>> % make install
>>
>> Here $L expands to our local installation tree prefix; its default, if
>> omitted, is /usr/local, but we have long avoided that choice, for
>> important reasons described here:
>>
>> http://www.math.utah.edu/faq/software/software.html#FAQ-1
>> ...
-------------------------------------------------------------------------------
- Nelson H. F. Beebe Tel: +1 801 581 5254 -
- University of Utah FAX: +1 801 581 4148 -
- Department of Mathematics, 110 LCB Internet e-mail: beebe at math.utah.edu -
- 155 S 1400 E RM 233 beebe at acm.org beebe at computer.org -
- Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------
More information about the tex-live
mailing list