A flaw was found in Ghostscript. When the gp_validate_path_len
function validates a path, it distinguishes between absolute and relative paths. In the case of relative paths, it will check the path with and without the current-directory-prefix (“foo” and “./foo”). This does not take into account paths with a parent-directory-prefix. Therefore, a path like “…/…/foo” is also tested as “./…/…/foo” and if the current directory “./” is in the permitted paths, it will pass the check, which may allow arbitrary file access.