Ghostscript: How One Vulnerable Feature Can Ruin Your Life
The new security hole could be used in both Linux and Windows attacks.
Vulnerability received an identifier CVE-2023-3664 a criticality rating of 9.8 on a scale CVSS v3 and affects all versions of Ghostscript except for the latest 10.01.2, which was released three weeks ago.
Given that Ghostscript is installed by default on many Linux distributions and is heavily used by programs such as LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and CUPS, the possibilities of using CVE-2023-3664 wide enough.
The researchers also note that the problem also applies to open applications on Windowsif they use the Ghostscript port.
Vulnerability CVE-2023-3664 associated with operating system channels that allow different applications to exchange information by passing the output from one application as input to another.
The problem comes from the “gp_file_name_reduce()” function in Ghostscript, which apparently takes multiple paths and then concatenates and simplifies them, removing relative path references for efficiency.
However, if a specially crafted path is passed to a vulnerable function, it may return unexpected results, leading to bypassing the validation mechanisms and potentially exploiting the vulnerability.
Also, when Ghostscript tries to open a file, it uses another function called “gp_validate_path” to check if the location is safe.
However, because the vulnerable function changes the location details before the second function checks, a potential attacker could exploit a loophole and force Ghostscript to work with files in locations that should not be accessible by default.
Kroll analysts have created a PoC exploit that is triggered when an EPS file is opened in any application using Ghostscript.
All Linux users are advised to upgrade to the latest version of Ghostscript 10.01.2 using their distribution’s package manager. And if the latest version of Ghostscript is not yet available in your distribution’s software channels, it is recommended that you compile it from source.
Unfortunately, open Windows applications that use ports of Ghostscript will naturally take longer to upgrade to the latest version of the tool. Therefore, it is recommended to be especially careful with suspicious installers in Windows.