ghostscript: -dSAFER escape in .charkeys (CVE-2019-14869)
This is another instance of a highly priviledged operator being accessible by specially crafted Postscript code, that can be used to break out of the -dSAFER limitations.
It was found that
.forceput operator was present and unprotected in
.charkeys method and could be retrieved via manipulation of the
.charkeys method was vulnerable since ghostscript-9.15, in one way
or another: the privileged operator was
superexec instead of
.forceput until a more recent version.