Thanks for filing the upstream bug, I am making this bug public since the commits are public and the issue is fixed in later releases. Thanks!
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ghostscript in Ubuntu. https://bugs.launchpad.net/bugs/1969932 Title: Security issue in Ghostscript 9.26 due to missing patch Status in ghostscript package in Ubuntu: New Bug description: I'm a German security researcher and submitted a report via HackerOne to Yahoo, they encouraged me to notify you directly regarding this issue. As it turned out, older Ubuntu LTS versions are affected: - ghostscript_9.26~dfsg+0-0ubuntu0.18.04.15 (Bionic Beaver) - ghostscript_9.26~dfsg+0-0ubuntu0.16.04.14 (Xenial Xerus) - ghostscript_9.26~dfsg+0-0ubuntu0.14.04.8 (Trusty Tahr) The issue is caused by a missing patch from 2019 [1], a variant of CVE-2019-6116, which can lead to a -dSAFER bypass (i.e., a malicious PostScript/EPS file can potentially execute arbitrary shell commands). Jammy Jellyfish, Impish Indri, and Focal Fossa are *not* affected. *Countermeasures:* Make sure to apply this patch [1] to the older LTS versions (14/16/18). [1] https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=430e2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1969932/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
