Two weeks after past critical issue in 4 more similar vulnerabilities (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817), which allow bypassing the "-dSAFER" isolation mode by creating a link to ".forceput". When processing specially designed documents, an attacker can gain access to the contents of the file system and achieve the execution of arbitrary code in the system (for example, by adding commands to ~/.bashrc or ~/.profile). The fix is ββavailable as patches (, ). You can follow the appearance of package updates in distributions on these pages: , , , , , , , .
Recall that the vulnerabilities in Ghostscript pose an increased risk, since this package is used in many popular applications for processing PostScript and PDF formats. For example, Ghostscript is called when creating desktop thumbnails, when indexing data in the background, and when converting images. For a successful attack, in many cases, simply downloading the exploit file or browsing the directory with it in Nautilus is enough. Vulnerabilities in Ghostscript can also be exploited through image processors based on the ImageMagick and GraphicsMagick packages by passing them a JPEG or PNG file that contains PostScript code instead of an image (such a file will be processed in Ghostscript, since the MIME type is recognized by the content, and without relying on the extension).
Source: opennet.ru