Discloure; I am part of the Ghostscript development team.
It is highly unfortunate that, due to a consensus of opinion on a mailing list, this issue was not responsibly disclosed. The information was made public before the development team was made aware of any problems. The Project Zero team state that vendors are informed privately and given 90 days to respond, in this case the first we knew of any problems was when a friendly distributor tipped us off that disclosure had already occurred. The bugs in question were not reported to us until *after* the CERT was issued.
RAMChYLD "Why is Ghostscript is allowed to be so daft tho? They've been alive for over 30 years, and have plenty of time to implement input sanitization."
It is unfortunately true that software has bugs, since you're a software developer I'm sure you are aware of this. We've already done a lot to respond to security issues, in fact Tavis refers to a previous disclosure which *also* went public before informing us and which we rapidly addressed. So we're a little disappointed not to have been contacted in the first instance.
Nevertheless, the point is that Ghostscript is a PostScript interpreter, and PostScript is a programming language. Its not too terribly surprising to discover that if you run random programs on your computer, they can be malicious!
Note that in the case of PDF files none of the exploits so far reported to us, at least, are possible. You need to use *PostScript* files. Of course if you differentiate your files by extension then its possible to disguise a PostScript file as a PDF file, so we're not being complacent about this. The same is also true of PCL, PXL and XPS files, despite Tavis's comment about disabling these as well in policy.xml, and in the case of PCL, PXL and XPS files, even disguising a PostScript file with an extension won't get you anywhere, the file simply won't process and will throw an error.
Finally, this is open source software (though your usage sounds suspiciously like it may not be legal under the AGPL) so nobody 'allows it'. The software is supplied 'as is' without warranty or support. You did read the licence yes ?