On Thu, Sep 5, 2019 at 11:57 PM Jonas Smedegaard <jo...@jones.dk> wrote: > > Quoting Sean Whitton (2019-09-06 06:20:47) > > On Sat 31 Aug 2019 at 03:58PM +02, Jonas Smedegaard wrote: > > > > > Possibly some of the other tools uses undocumented insecure > > > ghostscript calls which was recently removed. > > > > > > To investigate that further, someone needs to extract the actual > > > input (probably Postscript or PDF) and the exact command used to > > > call ghostscript. > > > > This was indeed a problem and ocrmypdf upstream has fixed it in the > > latest release. > > Ah, great that the cause has been located! > > ...and happy that my guess was correct :-)
Not quite? ocrmypdf did not use any undocumented ghostscript calls. It followed an example from Ghostscript's documentation almost verbatim to generate a .ps from a template that tells Ghostscript to insert an ICC profile, referenced by filename. Ghostscript 9.28 is disabling access to all files from a .ps file unless safety is explicitly disabled. So nothing undocumented or exploitable was happening. (But it does make sense for Ghostscript to make the change.) It does mean any other software that uses Ghostscript to generate PDF/X, PDF/E, or PDF/A is likely going to break as well with this release. > They've issued another pre-release yesterday - I hope to package that > soon, maybe today. > > > - Jonas > > -- > * Jonas Smedegaard - idealist & Internet-arkitekt > * Tlf.: +45 40843136 Website: http://dr.jones.dk/ > > [x] quote me freely [ ] ask before reusing [ ] keep private