[Qgis-user] Sicherheitslücke [ CVE-2023-36664 ] Ghostscript in Qgis?

Ronny Kerlin r.kerlin at onlinehome.de
Thu Jul 20 04:54:09 PDT 2023 

Thank you very much for your answer.

Greetings

Ronny

Am Do., 20. Juli 2023 um 09:56 Uhr schrieb Andreas Neumann <
a.neumann at carto.net>:

> Dear Ronny,
>
> I am adding the mailing list again.
>
> Jürgen Fischer (the packager for Windows and Ubuntu) informed you that
> OSGeo4W is already patched:
> https://lists.osgeo.org/pipermail/qgis-user/2023-July/053215.html
>
> And also that ghostscript isn't necessary for QGIS, but a dependency of
> GRASS. You could install QGIS with the OSGeo4W network installer and not
> select GRASS. Then you wouldn't get ghostscript. But if you do want GRASS
> you can now use the patched ghostscript version.
>
> If you need a patched .msi or standalone installer you can get one after
> the next planned release - see
> https://www.qgis.org/en/site/getinvolved/development/roadmap.html#roadmap
>
> Hope this clarifies the situation enough?
>
> Greetings,
>
> Andreas
>
> On 2023-07-20 07:21, Ronny Kerlin wrote:
>
> Please excuse my bad English.
>
>
>
>
> Hello and sorry for the insufficient information, that was not
> intentional. I use the LTR version QGis 3.28.4 Firenze under Windows10
> 22H2. Download source
> https://www.qgis.org/de/site/forusers/download.html#
>
>
>
> With this installation, Ghostscript libraries are also copied to the
> corresponding directory
>
> C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll
>
> C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe
>
> C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe
>
>
>
> The Ghostscript libraries used here are older (GPL Ghostscript 9.55.0) and
> are therefore probably also affected by the Ghostscript vulnerability.
>
>
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
>
>
>
> „Applications may leverage Ghostscript without it being obvious. It is
> recommended that applications that have the ability to render PDF or EPS
> files are checked for Ghostscript usage and updated as patches become
> available from the vendor."
>
>
>
> So the question was who do I contact to find out if the QGis version is
> vulnerable to such manipulated .eps , .ps or QGis project files files?
>
> Thank you for your help and greetings from Germany
>
> Ronny
>
>
>
>
>
>
>
> #######
>
> Entschuldige bitte mein schlechtes Englisch.
>
> Hallo und sorry für die unzureichenden Angaben, das war keine Absicht.
>
> Ich nutze die LTR Version QGis 3.28.4 Firenze unter Windows10 22H2.
> Downloadquelle  https://www.qgis.org/de/site/forusers/download.html#
>
> Mit dieser Installation werden auch Ghostscript Bibliotheken im
> entsprechenden Verzeichnis kopiert
>
> C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll
> C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe
> C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe
>
> Die hierbei verwendeten Ghostscript Bibliotheken sind älter( GPL
> Ghostscript 9.55.0 ) und somit wohl auch von der Ghostsript
> Schwachstellebetroffen.
>
>
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability „Applications
> may leverage Ghostscript without it beingobvious. It is recommended that
> applications that have the ability to renderPDF or EPS files are checked
> for Ghostscript usage and updated as patchesbecome available from the
> vendor."
>
> Daher war die Frage, an wen muss ich mich wenden, um herauszubekommen ob
> die QGis Version anfällig für solche manipulierten .eps oder .ps oder QGis
> Projektdateien Dateien ist?
>
> Vielen Dank für eure Hilfe und Grüße aus Deutschland
>
> Ronny
>
>
>
> Am Mi., 19. Juli 2023 um 13:57 Uhr schrieb Andreas Neumann <
> a.neumann at carto.net>:
>
> Hi Ronny,
>
> What operating system are your refering to? QGIS on Windows? Mac? Linux?
>
> QGIS doesn't use ghostscript and doesn't install ghostscript.
>
> But you might have installed ghostscript through OSGeo4W. If there is
> anything to patch, then it is in OSGeo4W and the various Linux and MacOS
> distributions.
>
> How did you install QGIS? Through the OSGeo4W installer or with the
> standalone installer or .msi installer?
>
> Greetings,
>
> Andreas
>
> On 2023-07-19 13:21, Ronny Kerlin via QGIS-User wrote:
>
> Hello QGI's team,
>
> We have an important question regarding a recent vulnerability [
> CVE-2023-36664 ] affecting Ghostscript
>
>
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
>
>
> https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betreff-LibreOffice-und-mehr-9215627.html
>
> https://www.borncity.com/blog/2023/07/13/critical-rce-vulnerability-cve-2023-36664-in-ghostscript-endangered-systems/
>
>
> There are also corresponding GS libraries in #QGIS 3.28.4.
>
> Now how can I fix the above vulnerability or is there no concern for QGis?
>
> Thank you in advance for your efforts.
> Best regards
>
> Ronny
>
>
>
>
>
>
>
>
>
> ###### Hallo QGIs Team,
>
>
>
> wir haben ein wichtige Frage zu einer aktuellen Sicherheitslücke [
> CVE-2023-36664 ], die im Zusammenhang mit Ghostscript auftritt
>
> <https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html>
>
>
>
>
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
>
>
>
>
>
>
>
>
>
> https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html
>
>
> https://www.borncity.com/blog/2023/07/13/kritische-rce-schwachstelle-cve-2023-36664-in-ghostscript-bedroht-systeme/
>
>
>
> In der *#QGIS* 3.28.4 gibt es auch entsprechende GS Bibliotheken.
>
> Wie kann ich jetzt die oben genannte Sicherheitslücke schließen oder gibt
> es für QGis keine Bedenken?
>
>
>
> Vielen Dank im Voraus für eure Bemühungen.
>
>
>
> Viele Grüße
>
>
>
> Ronny
>
>
>
> _______________________________________________
> QGIS-User mailing list
> QGIS-User at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20230720/a92a4f59/attachment.htm>

More information about the QGIS-User mailing list