[Qgis-user] Sicherheitslücke [ CVE-2023-36664 ] Ghostscript in Qgis?

Andreas Neumann a.neumann at carto.net
Wed Jul 19 04:57:21 PDT 2023


Hi Ronny,

What operating system are your refering to? QGIS on Windows? Mac? Linux?

QGIS doesn't use ghostscript and doesn't install ghostscript.

But you might have installed ghostscript through OSGeo4W. If there is 
anything to patch, then it is in OSGeo4W and the various Linux and MacOS 
distributions.

How did you install QGIS? Through the OSGeo4W installer or with the 
standalone installer or .msi installer?

Greetings,

Andreas

On 2023-07-19 13:21, Ronny Kerlin via QGIS-User wrote:

> Hello QGI's team,
> 
> We have an important question regarding a recent vulnerability [ 
> CVE-2023-36664 ] affecting Ghostscript
> 
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
> 
> https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betreff-LibreOffice-und-mehr-9215627.html
> https://www.borncity.com/blog/2023/07/13/critical-rce-vulnerability-cve-2023-36664-in-ghostscript-endangered-systems/
> 
> There are also corresponding GS libraries in #QGIS 3.28.4.
> 
> Now how can I fix the above vulnerability or is there no concern for 
> QGis?
> 
> Thank you in advance for your efforts.
> Best regards
> 
> Ronny
> 
> ###### Hallo QGIs Team,
> 
> wir haben ein wichtige Frage zu einer aktuellen Sicherheitslücke [ 
> CVE-2023-36664 ], die im Zusammenhang mit Ghostscript auftritt
> 
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
> 
> https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html
> https://www.borncity.com/blog/2023/07/13/kritische-rce-schwachstelle-cve-2023-36664-in-ghostscript-bedroht-systeme/
> 
> In der #QGIS 3.28.4 gibt es auch entsprechende GS Bibliotheken.
> 
> Wie kann ich jetzt die oben genannte Sicherheitslücke schließen oder 
> gibt es für QGis keine Bedenken?
> 
> Vielen Dank im Voraus für eure Bemühungen.
> 
> Viele Grüße
> 
> Ronny
> 
> _______________________________________________
> QGIS-User mailing list
> QGIS-User at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20230719/7eb6230b/attachment.htm>


More information about the QGIS-User mailing list