There seem to be several .forceput accessible in .pdfexectoken and other procedures. For the case of .pdfexectoken : several .forceput are available on the stack : {-dict- /PDFSTEPcount --known-- --not-- {-dict- /PDFSTEPcount 1 --.forceput--} --executeonly-- --if-- PDFSTEP {-dict- /PDFtokencount 2 --copy-- --.knownget-- {1 --add--} {1} --ifelse-- --.forceput-- PDFSTEPcount 1 --gt-- {-dict- /PDFSTEPcount PDFSTEPcount 1 --sub-- --.forceput--} --executeonly-- {--dup-- ==only ( step # ) --print-- PDFtokencount =only ( ? ) --print-- --flush-- 1 false --.outputpage-- (%stdin) (r) --file-- 255 --string-- --readline-- {--token-- {--exch-- --pop-- -dict- /PDFSTEPcount 3 -1 --roll-- --.forceput--} --executeonly-- {-dict- /PDFSTEPcount 1 --.forceput--} --executeonly-- --ifelse--} {--pop-- /PDFSTEP false --def--} --ifelse--} --ifelse--} --executeonly-- {--dup-- ==only () = --flush--} --ifelse--} As with the other recent vulnerabilities the recent mitigation included post- gs-9.27 successfully prevents arbitrary file access & code execution even when the script disables SAFER. However gs up to version 9.27 are affected. This can be used to disable -dSAFER and, for example, access files outside of the restricted area, or command execution. Reference: https://bugs.ghostscript.com/show_bug.cgi?id=701450
Upstream fix (containing additional potential fixes other than .pdfexectoken) : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
Acknowledgments: Name: Artifex Software
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2586 https://access.redhat.com/errata/RHSA-2019:2586
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2591 https://access.redhat.com/errata/RHSA-2019:2591
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 1747909]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14817