[tex-live] Still issues with Ghostscript 9.25

Nelson H. F. Beebe beebe at math.utah.edu
Sat Sep 15 17:50:45 CEST 2018 

A quick Web search turned up some recent links that discuss the
newly-discovered security holes that ghostscript 9.25 has fixed:

	No Patch Available Yet for New Major Vulnerability in Ghostscript Interpreter
	https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/

	Ghostscript Flaws Allow Remote Takeover of Systems
	https://threatpost.com/unpatched-ghostscript-flaws-allow-remote-takeover-of-systems/136800/

	Critical Flaws in Ghostscript Could Leave Many Systems at Risk of Hacking
	https://thehackernews.com/2018/08/ghostscript-postscript-vulnerability.html

In the Unix world, it has sadly been several years since Adobe offered
a version of Acrobat Reader for PDF display: our Solaris SPARC version
is dated 8-Oct-2009, and our GNU/Linux x86-64 version is from
8-May-2013.

Thus, ghostscript has become the defacto tool suite for PostScript and
PDF viewing, and few TeX sites outside the Microsoft Windows world
could live without it.

Rather than disabling viewing of PostScript and PDF files, as some of
the above links suggest, we just need to inform our community of the
desirability of upgrading their ghostscript installations.

This will take time: even a Ubuntu Rolling Release (bleeding edge)
system has only ghostscript 9.23 installed; other vendors are much
further behind: CentOS 7 (the latest release from Red Hat) has version
gs 9.07. Mint Linux 19 and Debian 10 has gs 9.22.  OpenSUSE 42.3 has
gs 9.15, and OpenSUSE Tumbleweed (bleeding edge) has gs 9.23.

It is unclear whether other PDF and PostScript viewers that are not
based on either ghostscript or Adobe code have similar
vulnerabilities.  They include apvlv, evince, mupdf, qpdfview,
viewpdf, zathura, and likely several others, plus built-in PDF viewers
in recent firefox and chrome Web browsers.

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- University of Utah                    FAX: +1 801 581 4148                  -
- Department of Mathematics, 110 LCB    Internet e-mail: beebe at math.utah.edu  -
- 155 S 1400 E RM 233                       beebe at acm.org  beebe at computer.org -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------

More information about the tex-live mailing list