Hello, Here is a crash file for the gs command. The crash can be triggered with the following command on older versions of Ghostscript: $ ps2pdf test.ps Segmentation fault The affected versions are still shipped by various distributions. ps2pdf is a shell script that calls the gs binary in the following way: $ /usr/bin/gs -P- -dSAFER -dCompatibilityLevel=1.4 -q -P- -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile=test.pdf -P- -dSAFER -dCompatibilityLevel=1.4 -c .setpdfwrite -f test.ps Segmentation fault I attached gdb and valgrind sessions showing the crash on RHEL 6.6 and RHEL 7.1.1503. The versions of the affected packages on RHEL are: RHEL6.6 ghostscript-8.70-19.el6.x86_64 ghostscript-debuginfo-8.70-19.el6.x86_64 ghostscript-fonts-5.50-23.2.el6.noarch RHEL7.1.1503 ghostscript-9.07-18.el7.x86_64 ghostscript-debuginfo-9.07-18.el7.x86_64 ghostscript-fonts-5.50-32.el7.noarch The problem does not occur with current source revision. The following commit fixes the segfault, but the problem is not mentioned in the commit log: ecc7a199e9307475c37fea0c44d24b85df814ead The offending file seems to be gs/Resource/Init/gs_ttf.ps If one replaces this file with the one from the specified commit (or from the current master) on RHEL 7.1.1503 or RHEL 6.6, the segfault does not occur anymore. Since the influence of this commit on the problem is not yet fully understood, the problem might still be present in current version of gs. Could you please make this bug private so I can attach the crash file ? Thanks, William
Created attachment 11743 [details] test.ps
Created attachment 11744 [details] gdb_rh6.6.log
Created attachment 11745 [details] gdb_rh7.1.1503.log
Created attachment 11746 [details] valgrind_rh6.6.log
Created attachment 11747 [details] valgrind_rh7.1.1503.log
The following CVE id was assigned to this issue by RedHat: CVE-2015-3228
Fixed in current version.
*** This bug has been marked as a duplicate of bug 696070 ***