Thank you very much for your answer. Greetings
Ronny Am Do., 20. Juli 2023 um 09:56 Uhr schrieb Andreas Neumann < [email protected]>: > Dear Ronny, > > I am adding the mailing list again. > > Jürgen Fischer (the packager for Windows and Ubuntu) informed you that > OSGeo4W is already patched: > https://lists.osgeo.org/pipermail/qgis-user/2023-July/053215.html > > And also that ghostscript isn't necessary for QGIS, but a dependency of > GRASS. You could install QGIS with the OSGeo4W network installer and not > select GRASS. Then you wouldn't get ghostscript. But if you do want GRASS > you can now use the patched ghostscript version. > > If you need a patched .msi or standalone installer you can get one after > the next planned release - see > https://www.qgis.org/en/site/getinvolved/development/roadmap.html#roadmap > > Hope this clarifies the situation enough? > > Greetings, > > Andreas > > On 2023-07-20 07:21, Ronny Kerlin wrote: > > Please excuse my bad English. > > > > > Hello and sorry for the insufficient information, that was not > intentional. I use the LTR version QGis 3.28.4 Firenze under Windows10 > 22H2. Download source > https://www.qgis.org/de/site/forusers/download.html# > > > > With this installation, Ghostscript libraries are also copied to the > corresponding directory > > C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll > > C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe > > C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe > > > > The Ghostscript libraries used here are older (GPL Ghostscript 9.55.0) and > are therefore probably also affected by the Ghostscript vulnerability. > > > https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability > > > > „Applications may leverage Ghostscript without it being obvious. It is > recommended that applications that have the ability to render PDF or EPS > files are checked for Ghostscript usage and updated as patches become > available from the vendor." > > > > So the question was who do I contact to find out if the QGis version is > vulnerable to such manipulated .eps , .ps or QGis project files files? > > Thank you for your help and greetings from Germany > > Ronny > > > > > > > > ####### > > Entschuldige bitte mein schlechtes Englisch. > > Hallo und sorry für die unzureichenden Angaben, das war keine Absicht. > > Ich nutze die LTR Version QGis 3.28.4 Firenze unter Windows10 22H2. > Downloadquelle https://www.qgis.org/de/site/forusers/download.html# > > Mit dieser Installation werden auch Ghostscript Bibliotheken im > entsprechenden Verzeichnis kopiert > > C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll > C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe > C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe > > Die hierbei verwendeten Ghostscript Bibliotheken sind älter( GPL > Ghostscript 9.55.0 ) und somit wohl auch von der Ghostsript > Schwachstellebetroffen. > > > https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability > „Applications > may leverage Ghostscript without it beingobvious. It is recommended that > applications that have the ability to renderPDF or EPS files are checked > for Ghostscript usage and updated as patchesbecome available from the > vendor." > > Daher war die Frage, an wen muss ich mich wenden, um herauszubekommen ob > die QGis Version anfällig für solche manipulierten .eps oder .ps oder QGis > Projektdateien Dateien ist? > > Vielen Dank für eure Hilfe und Grüße aus Deutschland > > Ronny > > > > Am Mi., 19. Juli 2023 um 13:57 Uhr schrieb Andreas Neumann < > [email protected]>: > > Hi Ronny, > > What operating system are your refering to? QGIS on Windows? Mac? Linux? > > QGIS doesn't use ghostscript and doesn't install ghostscript. > > But you might have installed ghostscript through OSGeo4W. If there is > anything to patch, then it is in OSGeo4W and the various Linux and MacOS > distributions. > > How did you install QGIS? Through the OSGeo4W installer or with the > standalone installer or .msi installer? > > Greetings, > > Andreas > > On 2023-07-19 13:21, Ronny Kerlin via QGIS-User wrote: > > Hello QGI's team, > > We have an important question regarding a recent vulnerability [ > CVE-2023-36664 ] affecting Ghostscript > > > https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability > > > https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betreff-LibreOffice-und-mehr-9215627.html > > https://www.borncity.com/blog/2023/07/13/critical-rce-vulnerability-cve-2023-36664-in-ghostscript-endangered-systems/ > > > There are also corresponding GS libraries in #QGIS 3.28.4. > > Now how can I fix the above vulnerability or is there no concern for QGis? > > Thank you in advance for your efforts. > Best regards > > Ronny > > > > > > > > > > ###### Hallo QGIs Team, > > > > wir haben ein wichtige Frage zu einer aktuellen Sicherheitslücke [ > CVE-2023-36664 ], die im Zusammenhang mit Ghostscript auftritt > > <https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html> > > > > > https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability > > > > > > > > > > https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html > > > https://www.borncity.com/blog/2023/07/13/kritische-rce-schwachstelle-cve-2023-36664-in-ghostscript-bedroht-systeme/ > > > > In der *#QGIS* 3.28.4 gibt es auch entsprechende GS Bibliotheken. > > Wie kann ich jetzt die oben genannte Sicherheitslücke schließen oder gibt > es für QGis keine Bedenken? > > > > Vielen Dank im Voraus für eure Bemühungen. > > > > Viele Grüße > > > > Ronny > > > > _______________________________________________ > QGIS-User mailing list > [email protected] > List info: https://lists.osgeo.org/mailman/listinfo/qgis-user > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user > > > >
_______________________________________________ QGIS-User mailing list [email protected] List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
