On Tue, 2019-06-25 at 22:11 +0930, Rodney Baker wrote:
On Monday, 24 June 2019 22:26:53 ACST Michal Suchánek wrote: [...]
I agree this is probably a much better way to achieve pretty much the same result
It isn't. Ghostscript needs apparmor to be reasonably secure. A security flaw pointed out in ghostscript was fixed by writing this apparmor profile. For it to be effective you need apparmor even if you did not have it to start with. That's are requirement in my book.
Sounds more like a workaround than a fix. A proper fix would have been to fix the vulnerability in ghostscript, rather than using a sledgehammer to crack a walnut (unless there was absolutely no other way to mitigate the risk).
That's the point - ghostscript is considered more or less unfixable. Quoting from the non-public bug where the apparmor profile was introduced: "With the current set of ghostscript security issues and likely more coming, we should audit the current users of ghostscript and remove it where it is not strictly necessary, or at least confine it using apparmor. [...] Basically processing untrusted input with ghostscript is a hopeless case and should be disabled." Yet ghostscript is at the heart of Linux printing, so it couldn't simply be ditched. Thus using apparmor is only logical - it confines ghostscript from an external, security-focused point of view. Anyone is welcome to try and fix the issues in ghostscript for good, but I fear it will be a tough ride, and likely not as efficient as the apparmor approach. Martin -- Dr. Martin Wilck <mwilck@suse.com>, Tel. +49 (0)911 74053 2107 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org