Sean Whitton and I confirmed the issue still occurs with Ghostscript 9.28rc2.
I reported the issue with Ghostscript here: https://bugs.ghostscript.com/show_bug.cgi?id=701552 On Fri, Sep 6, 2019 at 1:58 AM Jonas Smedegaard <jo...@jones.dk> wrote: > > Quoting James R Barlow (2019-09-06 10:15:59) > > On Thu, Sep 5, 2019 at 11:57 PM Jonas Smedegaard <jo...@jones.dk> wrote: > > > > > > Quoting Sean Whitton (2019-09-06 06:20:47) > > > > On Sat 31 Aug 2019 at 03:58PM +02, Jonas Smedegaard wrote: > > > > > > > > > Possibly some of the other tools uses undocumented insecure > > > > > ghostscript calls which was recently removed. > > > > > > > > > > To investigate that further, someone needs to extract the actual > > > > > input (probably Postscript or PDF) and the exact command used to > > > > > call ghostscript. > > > > > > > > This was indeed a problem and ocrmypdf upstream has fixed it in > > > > the latest release. > > > > > > Ah, great that the cause has been located! > > > > > > ...and happy that my guess was correct :-) > > > > Not quite? ocrmypdf did not use any undocumented ghostscript calls. It > > followed an example from Ghostscript's documentation almost verbatim > > to generate a .ps from a template that tells Ghostscript to insert an > > ICC profile, referenced by filename. Ghostscript 9.28 is disabling > > access to all files from a .ps file unless safety is explicitly > > disabled. So nothing undocumented or exploitable was happening. (But > > it does make sense for Ghostscript to make the change.) > > > > It does mean any other software that uses Ghostscript to generate > > PDF/X, PDF/E, or PDF/A is likely going to break as well with this > > release. > > Thanks for the clarification - helps me not spread any further false > information! > > - Jonas > > -- > * Jonas Smedegaard - idealist & Internet-arkitekt > * Tlf.: +45 40843136 Website: http://dr.jones.dk/ > > [x] quote me freely [ ] ask before reusing [ ] keep private
