Motivation for this change

This was originally aimed at just fixing https://nvd.nist.gov/vuln/detail/CVE-2019-14869 as a backport of #73500, the patch of course needed some adjustment and also appeared to depend on some changes made in previous commits. The answer came from debian's 9.26a~dfsg-0+deb9u6, which has an appropriately adjusted, though not well labeled, patch series. Unfortunately I couldn't find any online source that actually hosted these individual files. Not https://sources.debian.org, not https://salsa.debian.org/printing-team/ghostscript - so I had to include the files hand-extracted from the source package, leaving them verbatim to acknowledge their source.

The bonus was that this patch series also included adjusted patches for CVE-2019-3835 & CVE-2019-3838, which had previously been unpatched. Though it was a royal pain in the ass determining exactly the role of each patch in their series and which were totally necessary...

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Notify maintainers

cc @