Linux distributors and application developers using the open-source Ghostscript interpreter for the PostScript language and PDFs are being urged to apply the latest security patch for the utility after the discovery of a major hole.
This vulnerability, CVE-2023-36664, was assigned a CVSS score of 9.8, and could allow for code execution caused by Ghostscript mishandling permission validation for pipe devices.
Versions prior to 10.01.2 are at risk.
Ghostscript is used heavily in Linux and is often installed by default, say researchers at
Kroll. But when the applications that use Ghostscript are ported to other operating systems such as Windows, they will continue to use a port of Ghostscript on the new operating system.
This means, the report says, that rather than impacting only one operating system, the vulnerability has the potential to affect many, particularly those with printing or publishing applications that make use of open-source components.
First released in 1988, Ghostscript has been part of many Linux distributions’ default installs. The Kroll report notes it is rarely used directly. Instead it is frequently used by other open-source software packages to help with printing or converting files. It is a required dependency for “cups-filters,” which is a core component of the Common Unix Printing System (CUPS), Linux’s primary mechanism for printing and print services. Other applications make use of Ghostscript for reading and saving PostScript (PS), Embedded PostScript (EPS) or PDF files.
On a Debian 12 system, Kroll says, 131 packages depend on Ghostscript. The list of applications that use Ghostscript includes notable desktop and productivity applications such as LibreOffice, Inkscape, and Scribus, along with other tools such as ImageMagick (which itself is a dependency of many important applications).
The Ghostscript vulnerability disclosure indicates that the issue relates to operating system pipes, which the Kroll report says are a mechanism for separate pieces of software to talk to each other through the output of one application being the input of another. These pipes are often represented by the “|” symbol on the command line. The vulnerability description also states that the issue relates to a permissions validation.
Kroll recommends updating Linux and affected systems to the latest security patch levels for Ghostscript. Applications that have the ability to render PDF or EPS files should also be checked for Ghostscript usage and updated as patches become available from the vendor. And infosec pros should ensure all endpoints are regularly patched and updated to defend against known vulnerabilities that threat actors may exploit.
