[tex-live] Fixing new ghostscript vulnerabilities

Nelson H. F. Beebe beebe at math.utah.edu
Sat Sep 15 18:47:45 CEST 2018


I expect that several members of this list have been long time users
of the ghostscript tool suite, without ever having built it from
source code themselves.  Here is a portion of a posting that I
just made to a local campus mailing list that describes why, and
how, to do that:

>> ...
>> Last weekend, to address recently discovered security vulnerabilities,
>> Artifex Software released ghostscript and ghostpdl versions 9.25.
>> I've been a ghostscript tester since 1993, and am a member of its
>> developers mailing list, so I was involved in the testing of that
>> release.
>> 
>> At the time of news stories about the vulnerabilities [links are in a
>> previous message to this list from me today], the problems had not yet
>> been reported to the Common Vulnerabilities and Exposures (CVE)
>> database at
>> 
>>         http://cve.mitre.org/cve/
>> 
>> but the latest entry there today at
>> 
>>         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16802
>> 
>> and about a dozen very recent CVE entries discuss the flaws.
>> 
>> Because ghostscript and its many tools form a widely used system for
>> viewing and processing PDF and PostScript files (the only high-quality
>> platform-independent archival document display formats that we have),
>> because O/S vendors are far behind in their versions of that software,
>> and because ghostscript is likely to be installed on many campus
>> computers, I believe that we need to address the problem by installing
>> locally-built versions from the latest 9.25 (or later) software
>> release.  Downloads can be found here:
>> 
>>         https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
>> 
>> The download site has source packages, as well as prebuilt *.exe files
>> for installing on Microsoft Windows systems.
>> 
>> I prefer the ghostpdl package over the ghostscript and ghostpcl
>> packages, because it is a combination of both of those.
>> 
>> Today, on a Mac OS X 10.11 (El Capitan) system, I successfully built
>> and installed it like this:
>> 
>>         % tar xfz /PATH/TO/DOWNLOAD/ghostpdl-gs9.tar.gz
>> 
>>         # for csh / tcsh login shells
>>         % set path=( /bin /usr/bin )
>> 
>>         # for sh / ash / bash / dash / ksh / mksh / zsh login shells:
>>         $ PATH=/bin:/usr/bin ; export PATH
>> 
>>         % unsetenv CONFIG_SITE
>>         % ./configure --prefix=$L && make all check
>>         % bin/gs examples/tiger.eps
>>         % make install
>> 
>> Here $L expands to our local installation tree prefix; its default, if
>> omitted, is /usr/local, but we have long avoided that choice, for
>> important reasons described here:
>> 
>>         http://www.math.utah.edu/faq/software/software.html#FAQ-1
>> ...

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- University of Utah                    FAX: +1 801 581 4148                  -
- Department of Mathematics, 110 LCB    Internet e-mail: beebe at math.utah.edu  -
- 155 S 1400 E RM 233                       beebe at acm.org  beebe at computer.org -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------


More information about the tex-live mailing list