While .charkeys cannot be called directly, it is called by .loadwofffont, which in turn can be recovered from .loadfontfile. Using a stack overflow and error handlers, .charkeys can be crashed at a convenient location and .forceput recovered from the stack. This can be used to disable -dSAFER and, for example, access files outside of the restricted area, or command execution. The vulnerability is not effective against ghostscript 9.50 thanks to the reimplementation of the SAFER feature. Reference: https://bugs.ghostscript.com/show_bug.cgi?id=701841
Upstream fix: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f
The .charkey operator was vulnerable in one way or another (`superexec` was used before `forceput`) since ghostscript-9.15. Ghostscripts versions older than ghostscript-9.15 (including RHEL-7.6 and previous releases) are not affected by this flaw.
Acknowledgments: Name: Artifex Software Upstream: Paul Manfred, Lukas Schauer
Mitigation: Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 1772486]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3888 https://access.redhat.com/errata/RHSA-2019:3888
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14869
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3890 https://access.redhat.com/errata/RHSA-2019:3890
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0222 https://access.redhat.com/errata/RHSA-2020:0222