On Sunday, 30 July 2023 16:43:28 BST Michał Kruszewski wrote: > I do not have much knowledge in this area. > I just came across this interesting blog > https://cromwell-intl.com/open-source/pdf-not-authorized.html that also has > some nice references. > > However, right now I wonder when I should be extra careful when using groff. > -Tpdf is my default choice, and most of my papers include images, so I use > -U almost all the time. > > Best regards, > Michał Kruszewski > > Sent with Proton Mail secure email.
Hi Michał, You are safe. -Tpdf does not use ghostscript at all. Also the pdfs it produces contain no raw postscript, the article wrongly conflates PDF and PostScript as the same. I believe the bug involves the 'grestore' command which is a postscript operator. The bug is 5 years old and has been fixed since version 9.25:- https://ubuntu.com/security/CVE-2018-16802 Which also makes it clear that it is crafted postscript which triggered the bug. Cheers Deri