[Secure-testing-team] Bug#584653: CVE-2010-2055
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Dec 10 21:05:09 UTC 2010
On Fri, 10 Dec 2010 21:24:57 +0100, Jonas Smedegaard wrote:
> On Fri, Dec 10, 2010 at 07:45:18PM +0100, Moritz Muehlenhoff wrote:
> >On Thu, Dec 09, 2010 at 10:48:46PM -0500, Michael Gilbert wrote:
> >> I've isolated and applied the patches needed to fix CVE-2010-2055 in
> >> ghostscript. See attached debdiff.
> >>
> >> Would anyone be so kind to sponsor this? The package is at:
> >> http://mentors.debian.net/debian/pool/main/g/ghostscript/
> >
> >I don't have time to sponsor this currently, but this should be
> >uploaded with urgency=low, since there's the potential that
> >applications rely on the old, broken behaviour.
> >
> >I also remember that Jonas is still considering to introduce
> >Ghostscript 9.0 into Squeeze. Jonas, what's the current status?
>
> Michael is right - release team apparently was following my work and
> turned it down even before formally proposing it:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653#132
>
> @Michael: Sorry, I won't sponsor your patch. As stated earlier as well,
> I consider myself incompetent juggling any more patches on top of the
> 8.71 stack.
The patches are actually rather small.
> You are quite welcome to join the ghostscript packaging team and take
> responsibility of it yourself - for the full duration of the next stable
> release cycle!
What exactly do you want me to do? I'm a DM, so I can't upload myself
(without dm-upload-allowed). I could add that, but I still need an
initial sponsor. In the meantime I've joined the ghostscript mailing
list and requested to join the alioth project.
Mike
More information about the Secure-testing-team
mailing list