[Qgis-user] Sicherheitslücke [ CVE-2023-36664 ] Ghostscript in Qgis?
Greg Troxel
gdt at lexort.com
Wed Jul 19 04:56:24 PDT 2023
Ronny Kerlin via QGIS-User <qgis-user at lists.osgeo.org> writes:
> We have an important question regarding a recent vulnerability [
> CVE-2023-36664 ] affecting Ghostscript
>
> There are also corresponding GS libraries in #QGIS 3.28.4.
qgis is source code. I just looked quickly, and did not find any
ghostscript. In the binary package for pkgsrc, there is no dependency
on ghostscript.
gdal has several drivers for pdf, and certainly one of them could
involve ghostscript. However it looks like not:
https://gdal.org/drivers/raster/pdf.html
Also, the license of ghostscript is AGPL, and thus a combined work of
ghostscript and qgis would have to be distributed under AGPL -- or at
least I think they are compatible in that sense. That would be a major
departure for qgis licensing, so if that's what you have in some binary
packaging system it should be loud enough that you are aware of this.
The real question is that we can't tell what you are actually running,
and who provided it. You didn't even mention your operating system, let
alone what packaging system you are using. (Actually, you didn't even
say that you didn't build from source yourself -- but I'll guess that
isn't the case.)
The short answer is that you should contact the entity that distributes
the binary package you are using and inquire.
More information about the QGIS-User
mailing list