Fedora Account System
Red Hat Associate
Red Hat Customer
The .forceput (or .forcedef depending on the ghostscript version) is still accessible via DefineResource. An attacker could use this flaw to bypass -dSAFER restriction and, for example, have access to the file system outside of the designated restricted directories.
External References: https://bugs.ghostscript.com/show_bug.cgi?id=700576
Mitigation: Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509
The following upstream fixes resolve the issue : https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a
Acknowledgments: Name: Cedric Buissart (Red Hat)
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 1691326]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0633 https://access.redhat.com/errata/RHSA-2019:0633
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0971 https://access.redhat.com/errata/RHSA-2019:0971