back to article When something's weird in your ImageMagick upload, who ya gonna call? Ghostbusters!

GhostScript's security sandbox is so weak, website admins, developers, and users should block ImageMagick and other tools from using the software altogether. Returning from a sabbatical, noted Google Project Zero researcher Tavis Ormandy this week emitted new ways to execute arbitrary code on vulnerable servers and similar …

  1. frank ly

    Me Too?

    "... vulnerable servers and similar machines that process incoming files using GhostScript."

    Does this include me, who downloads .pdf files for viewing/printing with Evince or .xcf files for viewing/printing using GIMP on a Debian 9 system?

    1. Richard 12 Silver badge


      Servers cannot trust clients, and clients cannot trust servers.

      Who made that PDF, anyway?

  2. Destroy All Monsters Silver badge
    Paris Hilton

    "untrusted data to GhostScript"

    Is that like, when you have downloaded a PDF and a preview image is generated in the file browser?

    The Langsec problem strikes again.


    This cannot be good

    One of the web enterprise apps I developed uses Ghostscript.NET to convert PDF files (alongside Bitmap, GIF and PNG files) to JPEG for storage in SQL Server, and do the reverse when the user requests a "photo album" of their JPEG images, which the app will grab the relevant JPEG images (in this case, digital copies of issued certificates for the customer), compile them into a PDF, and let the customer download it. Removing ghostscript would completely break this which is one of the main functionality of the program.

    Although, as it stands only authorized employees are allowed to perform any image uploads at all. But I shudder to think what will happen if someone manages to steal the credentials of one of the employees.

    Why is Ghostscript is allowed to be so daft tho? They've been alive for over 30 years, and have plenty of time to implement input sanitization.

    1. Anonymous Coward
      Anonymous Coward

      Re: This cannot be good

      Why is Ghostscript is allowed to be so daft tho? They've been alive for over 30 years, and have plenty of time to implement input sanitization.

      Sanitization is probably not possible, even Sun didn't manage this with the Java Sandbox. You are crunching through whole programs after all. The best you can do is put the generator into a screambox (gingerly feed input into an isolated box, once a scream comes from inside the box, you burn the box down and start afresh, automatically). Such is life with computers.

    2. flibble

      Re: This cannot be good

      I don't know if it's the case or not, but your post makes it sound like you're running ghostscript on essentially untrusted input and that you're giving it significantly more permissions than it needs to perform the conversion (ie. it has permissions to access other data on your system).

      ghostscript may have bugs in it's implementation, but if the above is true then in my opinion you have an issue in your architecture. Isolating the conversion into a service that has no more permissions than necessary would make a lot of sense to me - i.e. the 'screambox' anonymous coward suggests in the next post.

      That said, my understanding is these exploits apply to postscript interpretation, so if you are correctly invoking ghostscript's PDF engine then these bugs may not affect you.

  4. pavel.petrman


    We've used the thing as a quick solution some years ago to convert user-submitted PDFs and pictures to standard formatted and resolution limited image files. A few months ago we gave up our laziness and wrote our own thing, which had two effects - the conversion takes tenths of a second instead of tens of seconds, and the servers suddenly ceased to develop unexplained instances of bluescreenitis. Together with the change in licensing of GhostScript some months (or is it years already?) ago makes the whole ImageMagick&GhostScript Combo not very appealing.

  5. kens

    Discloure; I am part of the Ghostscript development team.

    It is highly unfortunate that, due to a consensus of opinion on a mailing list, this issue was not responsibly disclosed. The information was made public before the development team was made aware of any problems. The Project Zero team state that vendors are informed privately and given 90 days to respond, in this case the first we knew of any problems was when a friendly distributor tipped us off that disclosure had already occurred. The bugs in question were not reported to us until *after* the CERT was issued.

    RAMChYLD "Why is Ghostscript is allowed to be so daft tho? They've been alive for over 30 years, and have plenty of time to implement input sanitization."

    It is unfortunately true that software has bugs, since you're a software developer I'm sure you are aware of this. We've already done a lot to respond to security issues, in fact Tavis refers to a previous disclosure which *also* went public before informing us and which we rapidly addressed. So we're a little disappointed not to have been contacted in the first instance.

    Nevertheless, the point is that Ghostscript is a PostScript interpreter, and PostScript is a programming language. Its not too terribly surprising to discover that if you run random programs on your computer, they can be malicious!

    Note that in the case of PDF files none of the exploits so far reported to us, at least, are possible. You need to use *PostScript* files. Of course if you differentiate your files by extension then its possible to disguise a PostScript file as a PDF file, so we're not being complacent about this. The same is also true of PCL, PXL and XPS files, despite Tavis's comment about disabling these as well in policy.xml, and in the case of PCL, PXL and XPS files, even disguising a PostScript file with an extension won't get you anywhere, the file simply won't process and will throw an error.

    Finally, this is open source software (though your usage sounds suspiciously like it may not be legal under the AGPL) so nobody 'allows it'. The software is supplied 'as is' without warranty or support. You did read the licence yes ?

    1. Pascal Monett Silver badge
      Thumb Up

      Kudos for stepping up to the plate

      And an upvote for the clarifications. Now I understand what Ghostscript is doing and what it is based on, and yes, as a programmer I fully understand that you're working on interpreting a programming language.

      That's obviously an open door to all sorts of shenanigans, and can only work if the spirit of the system is always honored.

      But still, sanitizing the incoming code should be possible, to a certain point. Whether that would make any difference is not something I can judge.

      1. A Non e-mouse Silver badge

        Re: Kudos for stepping up to the plate

        sanitizing the incoming code should be possible


    2. GnuTzu

      "the point is that Ghostscript is a PostScript interpreter, and PostScript is a programming language."

      And, consider what company brought us this language--over 30 years ago.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon