> Dear Ronny,
> I am adding the mailing list again.
> Jürgen Fischer (the packager for Windows and Ubuntu) informed you that
> OSGeo4W is already patched:
> https://lists.osgeo.org/pipermail/qgis-user/2023-July/053215.html
> And also that ghostscript isn't necessary for QGIS, but a dependency of
> GRASS. You could install QGIS with the OSGeo4W network installer and not
> select GRASS. Then you wouldn't get ghostscript. But if you do want GRASS
> you can now use the patched ghostscript version.
> If you need a patched .msi or standalone installer you can get one after
> the next planned release - see
> https://www.qgis.org/en/site/getinvolved/development/roadmap.html#roadmap
> Hope this clarifies the situation enough?
> Greetings,
> Andreas
> Please excuse my bad English.
> Hello and sorry for the insufficient information, that was not
> intentional. I use the LTR version QGis 3.28.4 Firenze under Windows10
> 22H2. Download source
> https://www.qgis.org/de/site/forusers/download.html#
> With this installation, Ghostscript libraries are also copied to the
> corresponding directory
> C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll
> C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe
> C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe
> The Ghostscript libraries used here are older (GPL Ghostscript 9.55.0) and
> are therefore probably also affected by the Ghostscript vulnerability.
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
> „Applications may leverage Ghostscript without it being obvious. It is
> recommended that applications that have the ability to render PDF or EPS
> files are checked for Ghostscript usage and updated as patches become
> available from the vendor."
> So the question was who do I contact to find out if the QGis version is
> vulnerable to such manipulated .eps , .ps or QGis project files files?
> Thank you for your help and greetings from Germany
> Ronny
> #######
> Entschuldige bitte mein schlechtes Englisch.
> Hallo und sorry für die unzureichenden Angaben, das war keine Absicht.
> Ich nutze die LTR Version QGis 3.28.4 Firenze unter Windows10 22H2.
> Downloadquelle  https://www.qgis.org/de/site/forusers/download.html#
> Mit dieser Installation werden auch Ghostscript Bibliotheken im
> entsprechenden Verzeichnis kopiert
> C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll
> C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe
> C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe
> Die hierbei verwendeten Ghostscript Bibliotheken sind älter( GPL
> Ghostscript 9.55.0 ) und somit wohl auch von der Ghostsript
> Schwachstellebetroffen.
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability „Applications
> may leverage Ghostscript without it beingobvious. It is recommended that
> applications that have the ability to renderPDF or EPS files are checked
> for Ghostscript usage and updated as patchesbecome available from the
> vendor."
> Daher war die Frage, an wen muss ich mich wenden, um herauszubekommen ob
> die QGis Version anfällig für solche manipulierten .eps oder .ps oder QGis
> Projektdateien Dateien ist?
> Vielen Dank für eure Hilfe und Grüße aus Deutschland
> Ronny
> Hi Ronny,
> What operating system are your refering to? QGIS on Windows? Mac? Linux?
> QGIS doesn't use ghostscript and doesn't install ghostscript.
> But you might have installed ghostscript through OSGeo4W. If there is
> anything to patch, then it is in OSGeo4W and the various Linux and MacOS
> distributions.
> How did you install QGIS? Through the OSGeo4W installer or with the
> standalone installer or .msi installer?
> Greetings,
> Andreas
> Hello QGI's team,
> We have an important question regarding a recent vulnerability [
> CVE-2023-36664 ] affecting Ghostscript
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
> https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betreff-LibreOffice-und-mehr-9215627.html
> https://www.borncity.com/blog/2023/07/13/critical-rce-vulnerability-cve-2023-36664-in-ghostscript-endangered-systems/
> There are also corresponding GS libraries in #QGIS 3.28.4.
> Now how can I fix the above vulnerability or is there no concern for QGis?
> Thank you in advance for your efforts.
> Best regards
> Ronny
> ###### Hallo QGIs Team,
> wir haben ein wichtige Frage zu einer aktuellen Sicherheitslücke [
> CVE-2023-36664 ], die im Zusammenhang mit Ghostscript auftritt
> <https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html>
> https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability
> https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html
> https://www.borncity.com/blog/2023/07/13/kritische-rce-schwachstelle-cve-2023-36664-in-ghostscript-bedroht-systeme/
> In der *#QGIS* 3.28.4 gibt es auch entsprechende GS Bibliotheken.
> Wie kann ich jetzt die oben genannte Sicherheitslücke schließen oder gibt
> es für QGis keine Bedenken?
> Vielen Dank im Voraus für eure Bemühungen.
> Viele Grüße
> Ronny
