Google Project Zero's Tavis Ormandy recently disclosed a vulnerability in ghostscript allowing for arbitrary code execution when manipulating postscript files. It's notably possible to trigger the the bug through a simple imagemagick / graphicmagick "convert payload.ps anyfile.jpg" call, which can probably lead to RCE on any number of systems doing user-submitted image file conversions. Patches are referenced in the OpenWall announcement, and they are in the official ghostscript git, so we can probably expect an official release fixing the problem at some point. https://www.openwall.com/lists/oss-security/2019/01/23/5 Other references: https://bugs.chromium.org/p/project-zero/issues/detail?id=1729 https://bugs.ghostscript.com/show_bug.cgi?id=700317 There are six patches in total from the announcement, but two of them don't seem to apply cleanly on top of ghostscript-9.26.
*** This bug has been marked as a duplicate of bug 676264 ***