[Bug 1134327] New: Enhance Ghostscript apparmor profile for ps2epsi
http://bugzilla.suse.com/show_bug.cgi?id=1134327
Bug ID: 1134327
Summary: Enhance Ghostscript apparmor profile for ps2epsi
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: All
OS: openSUSE Factory
Status: NEW
Severity: Enhancement
Priority: P5 - None
Component: Security
Assignee: security-team@suse.de
Reporter: jsmeix@suse.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
See
https://build.opensuse.org/request/show/701304
Basically this are the intended changes:
+++ ghostscript.changes
@@ -1,0 +2,5 @@
+Tue May 7 11:57:21 UTC 2019 - Dirk Stoecker
http://bugzilla.suse.com/show_bug.cgi?id=1134327
Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c1
Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c2
--- Comment #2 from Dirk Stoecker
http://bugzilla.suse.com/show_bug.cgi?id=1134327
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c3
Johannes Segitz
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c5
Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c6
--- Comment #6 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c7
--- Comment #7 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c8
--- Comment #8 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c9
--- Comment #9 from Johannes Segitz
- on the other hand useless in practive because flags=(complain) does not prevent execution of arbitrary executables for the main security problem which is /usr/bin/gs
yes, that is unfortunate and I don't want to keep it this way. We could split it up like you propose, but I think we're not too far away from a profile that should cause problems for users (at least that's my hope) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c13
--- Comment #13 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c14
--- Comment #14 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c16
--- Comment #16 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c17
--- Comment #17 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c18
--- Comment #18 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1134327
Dr. Werner Fink
http://bugzilla.suse.com/show_bug.cgi?id=1134327
Dr. Werner Fink
http://bugzilla.suse.com/show_bug.cgi?id=1134327
Dr. Werner Fink
http://bugzilla.suse.com/show_bug.cgi?id=1134327
http://bugzilla.suse.com/show_bug.cgi?id=1134327#c24
Dr. Werner Fink
participants (1)
-
bugzilla_noreply@novell.com