On Tue, 25 Jun 2019 22:11:36 +0930 Rodney Baker <rodney.baker@iinet.net.au> wrote:
On Monday, 24 June 2019 22:26:53 ACST Michal Suchánek wrote: [...]
I agree this is probably a much better way to achieve pretty much the same result
It isn't. Ghostscript needs apparmor to be reasonably secure. A security flaw pointed out in ghostscript was fixed by writing this apparmor profile. For it to be effective you need apparmor even if you did not have it to start with. That's are requirement in my book.
Sounds more like a workaround than a fix. A proper fix would have been to fix the vulnerability in ghostscript, rather than using a sledgehammer to crack a walnut (unless there was absolutely no other way to mitigate the risk).
Ghostscript is a postscript interpreter. The document can contain arbitrary program. If the standard was not designed with security in mind and documents commonly rely on features that are by design insecure there is no other way. That said, I am not familiar with the particular vulnerability this change is trying to address. Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org