From: smcv@debian.org   
      
   Source: papers   
   Severity: normal   
   X-Debbugs-Cc: apparmor@packages.debian.org, security@debian.org, Jamie   
   Strandboge    
   Control: affects -1 + src:apparmor   
      
   Similar to the corresponding bug in src:evince, the papers package   
   (which replaces evince as upstream GNOME's document viewer) has a   
   downstream-added AppArmor profile, heavily based on the one for evince,   
   which originated in Ubuntu.   
      
   In theory the benefit of this profile (if I'm guessing the history   
   correctly) is that it mitigates security vulnerabilities that might   
   exist in poppler and similar libraries, making it harder for an attacker   
   to exploint those vulnerabilities by supplying a crafted   
   PDF/Postscript/etc. document. However, as with src:evince, in practice   
   there are sandbox escapes that would allow an attacker to bypass it, so   
   at best it makes attacks more difficult.   
      
   Meanwhile, the cost of this profile is that any time papers or one of   
   its dependencies needs to do something for its normal operation that the   
   author of the profile didn't foresee, that feature will not work, in   
   particular the recent addition of sandboxed image loaders (using glycin   
   via gdk-pixbuf).   
      
   In papers' short history, we already have a couple of bugs that appear   
   to be caused by the AppArmor profile: ,   
   . I'm sure there are more, they just   
   haven't been reported yet.   
      
   Just like evince, I'm now questioning whether the benefit of the   
   AppArmor profile is worth its cost. Would we be better off without it?   
      
       smcv   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)