and some more info in this duplicate bug
There seem to be no upstream fix release yet. There are rumors that this was the vulnerability used in the recent hipchat incident.
Commits to fix according to the upstream bug:
CVE ID: CVE-2017-8291
Summary: Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.
Not yet released.
Patched in our 9.21
Please stabilize app-text/ghostscript-gpl-9.21 (all stable arches)
Stable on alpha.
Arches or maintainers please stabilize for hppa ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable.
This issue was resolved and addressed in
GLSA 201708-06 at https://security.gentoo.org/glsa/201708-06
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architecture.
Maintainer(s), please drop the vulnerable version(s).
Slyfox, please stabilize or drop from stable.
This is holding up a security bug, and security cleanup.
Thank you all,
Maintainers please proceed to cleanup.
Gentoo Security Padawan