The file access protection built into Ghostscript proved insufficient for the "%pipe%" PostScript device, when combined with Ghostscript's requirement to be able to create and control temporary files in the conventional temporary file directories (for example, "/tmp" or "/temp). This exploit is restricted to Unix-like systems (i.e., it doesn't affect Windows). The most severe claimed results are only feasible if the exploit is run as a "high privilege" user (root/superuser level) -- a practice we would discourage under any circumstances. Resolution: The solution involves including the device specifier string ("%pipe%") in the permissions checking, meaning the entire file name string is validated, rather than (as before) only the sub-string following the device specifier. This flaw allows to trivially escape the sandbox (enabled with the `-dSAFER` option). A specially crafted document could use this flaw to execute command on the system, in the context of the ghostscript interpreter. This flaw affects only version from 9.50 onward. Upstream bug : https://bugs.ghostscript.com/show_bug.cgi?id=704342
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 2003085]
*** Bug 2002800 has been marked as a duplicate of this bug. ***
Upstream fix : https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20