[Qgis-user] Sicherheitslücke [ CVE-2023-36664 ] Ghostscript in Qgis?

[Andreas Neumann]

Dear Ronny,

I am adding the mailing list again.

Jürgen Fischer (the packager for Windows and Ubuntu) informed you that 
OSGeo4W is already patched: 
https://lists.osgeo.org/pipermail/qgis-user/2023-July/053215.html

And also that ghostscript isn't necessary for QGIS, but a dependency of 
GRASS. You could install QGIS with the OSGeo4W network installer and not 
select GRASS. Then you wouldn't get ghostscript. But if you do want 
GRASS you can now use the patched ghostscript version.

If you need a patched .msi or standalone installer you can get one after 
the next planned release - see 
https://www.qgis.org/en/site/getinvolved/development/roadmap.html#roadmap

Hope this clarifies the situation enough?

Greetings,

Andreas

On 2023-07-20 07:21, Ronny Kerlin wrote:

> Please excuse my bad English.
> 
> Hello and sorry for the insufficient information, that was not 
> intentional. I use the LTR version QGis 3.28.4 Firenze under Windows10 
> 22H2. Download source  
> https://www.qgis.org/de/site/forusers/download.html# [1]
> 
> With this installation, Ghostscript libraries are also copied to the 
> corresponding directory
> 
> C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll
> 
> C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe
> 
> C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe
> 
> The Ghostscript libraries used here are older (GPL Ghostscript 9.55.0) 
> and are therefore probably also affected by the Ghostscript 
> vulnerability.
> 
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
> 
> „Applications may leverage Ghostscript without it being obvious. It is 
> recommended that applications that have the ability to render PDF or 
> EPS files are checked for Ghostscript usage and updated as patches 
> become available from the vendor."
> 
> So the question was who do I contact to find out if the QGis version is 
> vulnerable to such manipulated .eps , .ps or QGis project files files?
> 
> Thank you for your help and greetings from Germany
> 
> Ronny
> 
> #######
> 
> Entschuldige bitte mein schlechtes Englisch.
> 
> Hallo und sorry für die unzureichenden Angaben, das war keine Absicht.
> 
> Ich nutze die LTR Version QGis 3.28.4 Firenze unter Windows10 22H2. 
> Downloadquelle  https://www.qgis.org/de/site/forusers/download.html#
> 
> Mit dieser Installation werden auch Ghostscript Bibliotheken im 
> entsprechenden Verzeichnis kopiert
> 
> C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll
> C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe
> C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe
> 
> Die hierbei verwendeten Ghostscript Bibliotheken sind älter( GPL 
> Ghostscript 9.55.0 ) und somit wohl auch von der Ghostsript 
> Schwachstellebetroffen.
> 
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability 
> „Applications may leverage Ghostscript without it beingobvious. It is 
> recommended that applications that have the ability to renderPDF or EPS 
> files are checked for Ghostscript usage and updated as patchesbecome 
> available from the vendor."
> 
> Daher war die Frage, an wen muss ich mich wenden, um herauszubekommen 
> ob die QGis Version anfällig für solche manipulierten .eps oder .ps 
> oder QGis Projektdateien Dateien ist?
> 
> Vielen Dank für eure Hilfe und Grüße aus Deutschland
> 
> Ronny
> 
> Am Mi., 19. Juli 2023 um 13:57 Uhr schrieb Andreas Neumann 
> <a.neumann at carto.net>:
> 
> Hi Ronny,
> 
> What operating system are your refering to? QGIS on Windows? Mac? 
> Linux?
> 
> QGIS doesn't use ghostscript and doesn't install ghostscript.
> 
> But you might have installed ghostscript through OSGeo4W. If there is 
> anything to patch, then it is in OSGeo4W and the various Linux and 
> MacOS distributions.
> 
> How did you install QGIS? Through the OSGeo4W installer or with the 
> standalone installer or .msi installer?
> 
> Greetings,
> 
> Andreas
> 
> On 2023-07-19 13:21, Ronny Kerlin via QGIS-User wrote:
> 
> Hello QGI's team,
> 
> We have an important question regarding a recent vulnerability [ 
> CVE-2023-36664 ] affecting Ghostscript
> 
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
> 
> https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betreff-LibreOffice-und-mehr-9215627.html
> https://www.borncity.com/blog/2023/07/13/critical-rce-vulnerability-cve-2023-36664-in-ghostscript-endangered-systems/
> 
> There are also corresponding GS libraries in #QGIS 3.28.4.
> 
> Now how can I fix the above vulnerability or is there no concern for 
> QGis?
> 
> Thank you in advance for your efforts.
> Best regards
> 
> Ronny
> 
> ###### Hallo QGIs Team,
> 
> wir haben ein wichtige Frage zu einer aktuellen Sicherheitslücke [ 
> CVE-2023-36664 ], die im Zusammenhang mit Ghostscript auftritt
> 
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
> 
> https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html
> https://www.borncity.com/blog/2023/07/13/kritische-rce-schwachstelle-cve-2023-36664-in-ghostscript-bedroht-systeme/
> 
> In der #QGIS 3.28.4 gibt es auch entsprechende GS Bibliotheken.
> 
> Wie kann ich jetzt die oben genannte Sicherheitslücke schließen oder 
> gibt es für QGis keine Bedenken?
> 
> Vielen Dank im Voraus für eure Bemühungen.
> 
> Viele Grüße
> 
> Ronny
> 
> _______________________________________________
> QGIS-User mailing list
> QGIS-User at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user



Links:
------
[1] https://www.qgis.org/de/site/forusers/download.html#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20230720/bd564524/attachment.htm>