Hi, There is a vulnerability in ghostscript that allows maliciously crafted files to bypass the sandbox and execute arbitrary code:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1729 I would be wary of backporting the fix to our old version of ghostscript as the code has changed quite a lot and we would need to analyze which operators could be exploited and there's a risk that we would miss some (see how it took upstream several attempts to come up with a complete fix for all possible cases). Debian stretch has updated to the last upstream version that contains a fix (and updated to newer versions in the past too), so did Ubuntu even back to 14.04, and SuSE. No update for RedHat 7 yet, but they ship gs 9.07 so it'd be interesting to see what they do. For now I have prepared and tested a 9.26a backport to jessie. The diff is huge but given the above I'm not too wary of shipping this. It's worked for me, both building some libgs-dev rdeps, and testing libgs to render some PS files. As for dependencies, it no longer uses Jasper (not supported by upstream anymore) and uses openjpeg2 instead. There's also a new dependency on libexpat. I have pushed the updated packages to: https://people.debian.org/~pochu/lts/ghostscript/ I would appreciate some testing and/or feedback. Cheers, Emilio
