The file access protection built into Ghostscript proved insufficient for the "%pipe%" PostScript device, when combined with Ghostscript's requirement to be able to create and control temporary files in the conventional temporary file directories (for example, "/tmp" or "/temp). This exploit is restricted to Unix-like systems (i.e., it doesn't affect Windows). The most severe claimed results are only feasible if the exploit is run as a "high privilege" user (root/superuser level) -- a practice we would discourage under any circumstances.
Resolution: The solution involves including the device specifier string ("%pipe%") in the permissions checking, meaning the entire file name string is validated, rather than (as before) only the sub-string following the device specifier.
This flaw allows to trivially escape the sandbox (enabled with the `-dSAFER` option). A specially crafted document could use this flaw to execute command on the system, in the context of the ghostscript interpreter.
This flaw affects only version from 9.50 onward.
Upstream bug :
Created ghostscript tracking bugs for this issue:
Affects: fedora-all [bug 2003085]
*** Bug 2002800 has been marked as a duplicate of this bug. ***
Upstream fix :