The .buildfont1 does not sufficiently protect its environment. A specially crafted PostScript script can override the typecheck error handler to retrieve a reference to .forceput. This can be used to disable -dSAFER and, for example, access files outside of the restricted area.
Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19
Ghostscript 9.50 was released on 2019-10-15:
The more astute among you might notice that 9.28 has morphed into 9.50.
In a recent discussion amongst the Ghostscript developers, it became
clear that the redesign and reimplementation of the file security
features warranted more recognition than just the usual single digit
version increment. Hence we opted to bump it up to 9.50.
Author: Thomas Deutschmann <firstname.lastname@example.org>
AuthorDate: 2019-10-24 22:18:04 +0000
Commit: Thomas Deutschmann <email@example.com>
CommitDate: 2019-10-24 22:29:05 +0000
app-text/ghostscript-gpl: bump to v9.50
Package-Manager: Portage-2.3.78, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann <firstname.lastname@example.org>
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202004-03 at https://security.gentoo.org/glsa/202004-03
by GLSA coordinator Thomas Deutschmann (whissi).