Quoting James R Barlow (2019-09-06 10:15:59) > On Thu, Sep 5, 2019 at 11:57 PM Jonas Smedegaard <jo...@jones.dk> wrote: > > > > Quoting Sean Whitton (2019-09-06 06:20:47) > > > On Sat 31 Aug 2019 at 03:58PM +02, Jonas Smedegaard wrote: > > > > > > > Possibly some of the other tools uses undocumented insecure > > > > ghostscript calls which was recently removed. > > > > > > > > To investigate that further, someone needs to extract the actual > > > > input (probably Postscript or PDF) and the exact command used to > > > > call ghostscript. > > > > > > This was indeed a problem and ocrmypdf upstream has fixed it in > > > the latest release. > > > > Ah, great that the cause has been located! > > > > ...and happy that my guess was correct :-) > > Not quite? ocrmypdf did not use any undocumented ghostscript calls. It > followed an example from Ghostscript's documentation almost verbatim > to generate a .ps from a template that tells Ghostscript to insert an > ICC profile, referenced by filename. Ghostscript 9.28 is disabling > access to all files from a .ps file unless safety is explicitly > disabled. So nothing undocumented or exploitable was happening. (But > it does make sense for Ghostscript to make the change.) > > It does mean any other software that uses Ghostscript to generate > PDF/X, PDF/E, or PDF/A is likely going to break as well with this > release.
Thanks for the clarification - helps me not spread any further false information! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
