It was reported that Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program. Upstream issue: https://bugs.ghostscript.com/show_bug.cgi?id=697808
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 1446064]
[Updated] Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce1 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75ac
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1445359
*** Bug 1445359 has been marked as a duplicate of this bug. ***
Note: The original patch has a regression in some rare conditions (when using the "DELAYBIND" feature). In such situation, the additional patch is required : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719
It appears that the additional patch in comment 9 has its own regression.
One more patch : * Bug 697892: fix check for op stack underflow. http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75ac
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1230 https://access.redhat.com/errata/RHSA-2017:1230