GNU bug report logs - #39674
[PATCH] enable PostScript backend in Evince

Previous Next

Full log

Message #23 received at 39674 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: guix-security <at> gnu.org, 39674 <at> debbugs.gnu.org,
 raingloom <raingloom <at> riseup.net>,
 Nicolò Balzarotti <anothersms <at> gmail.com>
Subject: Re: [bug#39674] [PATCH] enable PostScript backend in Evince
Date: Tue, 22 Oct 2024 23:17:50 +0900

Hi,

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi Nicolò & raingloom!
>
> (+ Cc: guix-security)
>
> Nicolò Balzarotti <anothersms <at> gmail.com> skribis:
>
>> Thanks!
>>
>> I was wondering why it could not open .eps files!  I tested the patch,
>> applies, build and now I can open them.  guix size reports +3%
>> (1009.6 -> 1038.0).
>>
>> +1 for merging
>
> I think PostScript support is often disabled by default because of
> security issues: PostScript is a very versatile language and Ghostscript
> has had a series of problems due to its inability to “sandbox”
> PostScript code.
>
> A particularly important issue is thumbnail generation: you could find
> yourself running PostScript code without explicitly opening a file.
>
> FWIW, I resort to gv (or ps2pdf) when I need to open a PostScript that I
> deem trustworthy.

My opinion is that we should enable it.  It's advertised as a
supported format [0]; if there was a serious security issue upstream
would probably drop support for it, or at least hide it behind some
configuration warning, and not advertize it.

Debian, known for its security track record, also has it enabled [1].

[0]  https://help.gnome.org/users/evince/stable/formats.html.en
[1]  https://salsa.debian.org/gnome-team/evince/-/blob/debian/latest/debian/rules?ref_type=heads#L15

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.