In Ghostscript 9.27, some ephemeral routines in .pdf_hook_DSC_Creator can expose .forceput operator when hooking errors. This issue is similar to upstream bug https://bugs.ghostscript.com/show_bug.cgi?id=700317. There is no direct path to reach .pdf_hook_DSC_Creator however it can be obtained from .pdfdsc. http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=Resource/Init/gs_pdfwr.ps;h=00c19faf3c4169fc26f7d35e759b94a7444d63a8;hb=ebfaa2db4cb518a2bc99c1532d4429201a13dfab#l651 651 } bind .makeoperator .forceput 652 systemdict /.pdf_hooked_DSC_Creator //true .forceput 653 } executeonly if 654 pop 655 } if This can be used to disable -dSAFER and, for example, access files outside of the restricted area, or command execution. Reference: https://bugs.ghostscript.com/show_bug.cgi?id=701445
Upstream fix : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
Mitigation: Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509
Acknowledgments: Name: Artifex Software Upstream: Hiroki MATSUKUMA (Cyber Defense Institute)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2586 https://access.redhat.com/errata/RHSA-2019:2586
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2591 https://access.redhat.com/errata/RHSA-2019:2591
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 1747908]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14811