
<div dir="ltr"><div>Thank you very much for your answer. <br></div><div><br></div><div>Greetings <br></div><div><br></div><div>Ronny<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Do., 20. Juli 2023 um 09:56 Uhr schrieb Andreas Neumann <<a href="mailto:a.neumann@carto.net">a.neumann@carto.net</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">

<p>Dear Ronny,</p>

<p>I am adding the mailing list again.</p>

<p>Jürgen Fischer (the packager for Windows and Ubuntu) informed you that OSGeo4W is already patched: <a href="https://lists.osgeo.org/pipermail/qgis-user/2023-July/053215.html" target="_blank">https://lists.osgeo.org/pipermail/qgis-user/2023-July/053215.html</a></p>

<p>And also that ghostscript isn't necessary for QGIS, but a dependency of GRASS. You could install QGIS with the OSGeo4W network installer and not select GRASS. Then you wouldn't get ghostscript. But if you do want GRASS you can now use the patched ghostscript version.</p>

<p>If you need a patched .msi or standalone installer you can get one after the next planned release - see <a href="https://www.qgis.org/en/site/getinvolved/development/roadmap.html#roadmap" target="_blank">https://www.qgis.org/en/site/getinvolved/development/roadmap.html#roadmap</a></p>

<p>Hope this clarifies the situation enough?</p>

<p>Greetings,</p>

<p>Andreas</p>

<p id="m_-1174533587557328211reply-intro">On 2023-07-20 07:21, Ronny Kerlin wrote:</p>

<blockquote type="cite" style="padding:0px 0.4em;border-left:2px solid rgb(16,16,255);margin:0px">

<div id="m_-1174533587557328211replybody1">

<div>

<div dir="ltr">

<div dir="ltr">

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New"">Please excuse my bad English.<span></span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<div><span style="font-size:10pt;font-family:"Courier New"">Hello and sorry for the insufficient information, that was not intentional. I use the LTR version QGis 3.28.4 Firenze under Windows10 22H2. Download source  </span><a href="https://www.qgis.org/de/site/forusers/download.html#" rel="noopener noreferrer" target="_blank"><span style="color:windowtext;text-decoration:none">https://www.qgis.org/de/site/forusers/download.html#</span></a><span></span></div>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New"">With this installation, Ghostscript libraries are also copied to the corresponding directory</span>  <span><br></span></p>

<br>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll <span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe <span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe<span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New"">The Ghostscript libraries used here are older (GPL Ghostscript 9.55.0) and are therefore probably also affected by the Ghostscript vulnerability.  </span><br><a href="https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability" rel="noopener noreferrer" target="_blank"><span style="color:windowtext;text-decoration:none"><br>https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability</span></a> <span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">„Applications may leverage Ghostscript without it being obvious. It is recommended that applications that have the ability to render PDF or EPS files are checked for Ghostscript usage and updated as patches become available from the vendor."<span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New"">So the question was who do I contact to find out if the QGis version is vulnerable to such manipulated .eps , .ps or QGis project files files? <br><br>Thank you for your help and greetings from Germany <br><br>Ronny</span><span style="font-size:10pt;font-family:"Courier New""><span></span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">#######</p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">Entschuldige bitte mein schlechtes Englisch. <br><br>Hallo und sorry für die unzureichenden Angaben, das war keine Absicht. <br><br>Ich nutze die LTR Version QGis 3.28.4 Firenze unter Windows10 22H2. Downloadquelle  <a href="https://www.qgis.org/de/site/forusers/download.html#" rel="noopener noreferrer" target="_blank">https://www.qgis.org/de/site/forusers/download.html#</a> <br><br>Mit dieser Installation werden auch Ghostscript Bibliotheken im entsprechenden Verzeichnis kopiert <br><br>C:\Program Files\QGIS 3.28.4\bin\gsdll64.dll <br>C:\Program Files\QGIS 3.28.4\bin\gswin32c.exe <br>C:\Program Files\QGIS 3.28.4\bin\gswin64c.exe <br><br>Die hierbei verwendeten Ghostscript Bibliotheken sind älter( GPL Ghostscript 9.55.0 ) und somit wohl auch von der Ghostsript Schwachstellebetroffen. <a href="https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability" rel="noopener noreferrer" target="_blank"><br><br>https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability</a> „Applications may leverage Ghostscript without it beingobvious. It is recommended that applications that have the ability to renderPDF or EPS files are checked for Ghostscript usage and updated as patchesbecome available from the vendor." <br><br>Daher war die Frage, an wen muss ich mich wenden, um herauszubekommen ob die QGis Version anfällig für solche manipulierten .eps oder .ps oder QGis Projektdateien Dateien ist? <br><br>Vielen Dank für eure Hilfe und Grüße aus Deutschland <br><br>Ronny<br><br><br></p>

</div>

<br>

<div>

<div dir="ltr">Am Mi., 19. Juli 2023 um 13:57 Uhr schrieb Andreas Neumann <<a href="mailto:a.neumann@carto.net" rel="noreferrer" target="_blank">a.neumann@carto.net</a>>:</div>

<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">

<p>Hi Ronny,</p>

<p>What operating system are your refering to? QGIS on Windows? Mac? Linux?</p>

<p>QGIS doesn't use ghostscript and doesn't install ghostscript.</p>

<p>But you might have installed ghostscript through OSGeo4W. If there is anything to patch, then it is in OSGeo4W and the various Linux and MacOS distributions.</p>

<p>How did you install QGIS? Through the OSGeo4W installer or with the standalone installer or .msi installer?</p>

<p>Greetings,</p>

<p>Andreas</p>

<p id="m_-1174533587557328211v1m_5963992876143645543reply-intro">On 2023-07-19 13:21, Ronny Kerlin via QGIS-User wrote:</p>

<blockquote style="padding:0px 0.4em;border-left:2px solid rgb(16,16,255);margin:0px">

<div id="m_-1174533587557328211v1m_5963992876143645543replybody1">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<p style="margin:0cm 0cm 0.0001pt;font-family:"Calibri",sans-serif">Hello QGI's team,<br><br>We have an important question regarding a recent vulnerability [ CVE-2023-36664 ] affecting Ghostscript<br><br><a href="https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability" rel="noopener noreferrer" target="_blank">https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability</a><br><br><a href="https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betreff-LibreOffice-und-mehr-9215627.html" rel="noopener noreferrer" target="_blank">https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betreff-LibreOffice-und-mehr-9215627.html</a><br><a href="https://www.borncity.com/blog/2023/07/13/critical-rce-vulnerability-cve-2023-36664-in-ghostscript-endangered-systems/" rel="noopener noreferrer" target="_blank">https://www.borncity.com/blog/2023/07/13/critical-rce-vulnerability-cve-2023-36664-in-ghostscript-endangered-systems/</a><br><br><br>There are also corresponding GS libraries in #QGIS 3.28.4.<br><br>Now how can I fix the above vulnerability or is there no concern for QGis?<br><br>Thank you in advance for your efforts.<br>Best regards<br><br>Ronny</p>

<p style="margin:0cm 0cm 0.0001pt;font-family:"Calibri",sans-serif"><span style="font-family:times new roman,serif;font-size:small"> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-family:"Calibri",sans-serif"><span style="font-family:times new roman,serif;font-size:small"> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-family:"Calibri",sans-serif"><span style="font-family:times new roman,serif;font-size:small"> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-family:"Calibri",sans-serif"><span style="font-family:times new roman,serif;font-size:small"> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-family:"Calibri",sans-serif"><span style="font-family:times new roman,serif;font-size:small">###### Hallo QGIs Team,<span></span></span></p>

<p style="margin:0cm 0cm 0.0001pt"><span style="font-family:times new roman,serif;font-size:small"><span> </span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-family:times new roman,serif;font-size:small">wir haben ein wichtige Frage zu einer aktuellen Sicherheitslücke [ CVE-2023-36664 ], die im Zusammenhang mit Ghostscript auftritt </span><a style="color:rgb(5,99,193);text-decoration:underline" href="https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html" rel="noopener noreferrer" target="_blank"><br></a></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><a href="https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability" rel="noopener noreferrer" target="_blank">https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability</a></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"> </p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><a style="color:rgb(5,99,193);text-decoration:underline" href="https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html" rel="noopener noreferrer" target="_blank"><br>https://www.heise.de/news/Codeschmuggel-Luecke-in-Ghostscript-betrifft-LibreOffice-und-mehr-9215627.html</a><span>  </span><br><a style="color:rgb(5,99,193);text-decoration:underline" href="https://www.borncity.com/blog/2023/07/13/kritische-rce-schwachstelle-cve-2023-36664-in-ghostscript-bedroht-systeme/" rel="noopener noreferrer" target="_blank">https://www.borncity.com/blog/2023/07/13/kritische-rce-schwachstelle-cve-2023-36664-in-ghostscript-bedroht-systeme/</a><span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span> </span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt"><span style="font-family:times new roman,serif;color:rgb(0,0,0)">In der <strong>#QGIS</strong> 3.28.4 gibt es auch entsprechende GS Bibliotheken.  <br><br>Wie kann ich jetzt die oben genannte Sicherheitslücke schließen oder gibt es für QGis keine Bedenken?<span></span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt"><span style="font-family:times new roman,serif;color:rgb(0,0,0)"><span> </span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt"><span style="font-family:times new roman,serif;color:rgb(0,0,0)">Vielen Dank im Voraus für eure Bemühungen.<span></span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt"><span style="font-family:times new roman,serif;color:rgb(0,0,0)"><span> </span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt"><span style="font-family:times new roman,serif;color:rgb(0,0,0)">Viele Grüße<span></span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt"><span style="font-family:times new roman,serif;color:rgb(0,0,0)"><span> </span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt"><span style="font-family:times new roman,serif;color:rgb(0,0,0)">Ronny<span></span></span></p>

<p style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-family:times new roman,serif;color:rgb(0,0,0)"><span> </span></span></p>

</div>

</div>

</div>

</div>

</div>

<br>

<div style="margin:0px;padding:0px;font-family:monospace">_______________________________________________<br>QGIS-User mailing list<br><a href="mailto:QGIS-User@lists.osgeo.org" rel="noreferrer" target="_blank">QGIS-User@lists.osgeo.org</a><br>List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-user" rel="noopener noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-user</a><br>Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-user" rel="noopener noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-user</a></div>

</blockquote>

<p><br></p>

</div>

</blockquote>

</div>

</div>

</div>

</div>

</blockquote>

<p><br></p>


</div>

</blockquote></div>