back to article Latest Ghostscript vulnerability haunts experts as the next big breach enabler

Infosec circles are awash with chatter about a vulnerability in Ghostscript some experts believe could be the cause of several major breaches in the coming months. Ghostscript is a Postscript and Adobe PDF interpreter that lets users of *nix, Windows, MacOS, and various embedded OSes and platforms view, print, and convert PDFs …

  1. Pascal Monett Silver badge

    It's either open a file or click a link

    There's the remote edge case where you visit a compromised website, but it seems to me that 99% of all malware is still waiting for the user to do something stupid.

    Fix that and the miscreants will lose billions overnight.

    1. Alan_Peery

      Re: It's either open a file or click a link

      So you think clicking on links is stupid?

      Saying "just don't visit dodgy sites isn't an answer, as legitimate sites can be compromised.

  2. Androgynous Cupboard Silver badge

    PS only

    This is like a PostScript issue only. PostScript is a programming language, and running a PostScript program from an untrusted source makes about as much sense as running any script. PDF is not vulerable to this - it is not Turing complete by design, and certainly doesn't have "readstring" or disk access - although they do contain Type 1 font support which do require a PostScript interpreter.... hmm. To investigate.

    Been a while since I've run Linux on the Desktop, but surely web-browsers don't map application/postscript files to open with GhostScript. Do they?

    1. Androgynous Cupboard Silver badge

      Re: PS only

      No, that is not looking good at all. At least the first part of the issue - the ability to write to /tmp - is confirmed when processing a PDF containing a Type1 font with GhostScript. I've emailed the codean labs people. If the exploit is extendable to PDF processing to then this vulnerability probably applies to any UNIX machine running a printer queue.

    2. Anonymous Coward
      Anonymous Coward

      Re: PS only

      "surely web-browsers don't map application/postscript files to open with GhostScript. Do they?"

      More importantly, does systemd?

    3. Gene Cash Silver badge

      Re: PS only

      Sure... it mostly works.

      You could use qpdfview but that shits on /dev/null and replaces it with a text file if you happen to run it as root (which took a while to find out that's why my QEMU/KVM VMs stopped running)

      (I shouldn't have run it as root of course, but occasionally you want to view docs on the stuff that you're trying to fix)

      qpdfview also has the charming talent of totally ignoring your preferences as to whether you wanted to view single page, what zoom you want, and which toolbars to display and take up all the room for viewing a PDF.

      So I used GhostScript until I found xpdf, which is a bit lighter weight.

  3. sitta_europea Silver badge

    FWIW this was fixed in Debian around May 10th.

    8<---------------------------------------------------------------------------------------------------------------------

    ghostscript (9.53.3~dfsg-7+deb11u7) bullseye-security; urgency=high

    * Non-maintainer upload by the Security Team.

    * In SAFER (default) don't allow eexec seeds other than the Type 1 standard

    (CVE-2023-52722)

    * Uniprint device - prevent string configuration changes when SAFER

    (CVE-2024-29510)

    * Bug #707691 (CVE-2024-33869)

    * Bug 707691 part 2 (CVE-2024-33869)

    * Bug #707686 (CVE-2024-33870)

    * OPVP device - prevent unsafe parameter change with SAFER (CVE-2024-33871)

    -- [redacted] Fri, 10 May 2024 14:34:11 +0200

    8<---------------------------------------------------------------------------------------------------------------------

  4. Doctor Syntax Silver badge

    A quick check shows Debian ghostscript is now up to 10.0.0 so unless there's been a regression this is well behind us.

    1. that one in the corner Silver badge

      > Debian ghostscript is now up to 10.0.0 so unless there's been a regression this is well behind us

      The vulnerability is in versions up to and including 10.03.0, according to the linked blog post.

      You need to use Trixie (testing) or Sid (unstable) to get the fixed 10.03.1

      Although there are patched copies of older versions to be had in the interim.

      1. Doctor Syntax Silver badge

        Fixed in 10.0.0~dfsg-11+deb12u4

  5. Alistair
    Windows

    For the fedora crowd

    a) Red Hat bug for fedora

    if, like me, you are on something other than 40:

    b) sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c45c747f02

    It appears 40 has this in general repos.

    1. DS999 Silver badge

      Re: For the fedora crowd

      I'm on 38 on the PC upon which I'm typing this but have been dragging my feet on the upgrade to 40 despite recently noting that 38 is now obsolete. This will give me the impetus I need get it done this weekend!

      I was able to workaround the OpenSSH issue by redirecting my port forward to my router (which doesn't run OpenSSH) but having two big things I can't simply "dnf update" away is too much, time to get the upgrade done!

  6. petef

    Obligatory XKCD

  7. CowHorseFrog Silver badge

    Who pays these people to look for these vuls ?

    This would have taken many weeks if not months to find.

    1. Anonymous Coward
      Anonymous Coward

      > Thomas Rinsma, lead security analyst at Dutch security shop Codean Labs

      So yes, it's his job... I don't know who employs "security shops" though.

      Certainly not my employer... security is an unnecessary cost, not an advantage, according to them.

      1. CowHorseFrog Silver badge

        Same q, who pays C Labs ?

        1. that one in the corner Silver badge

          To start with, they raised €1M from TIIN Capital’s Dutch Security TechFund and five experienced angel investors in 2022.

          At this point, they are selling, for much moola per seat software for code reviews, aimed at "security experts".

          As to who actually *buys* any of this (especially given the inevitable comments here that "the people I work for don't care about security" the answer appears to be - the people who actually run all of the crap that we (El Reg commentards) are generally more involved in creating in the first place. Names that appear[1] are people like KPMG, banks, NATO, national governments' departments of cybersecurity.

          You know, all of our (shudder) Users.

          [1] as I continued to spend the full 10 minutes on the web search around this question

          1. CowHorseFrog Silver badge

            thatone: To start with, they raised €1M from TIIN Capital’s Dutch Security TechFund and five experienced angel investors in 2022.

            cow: thanks, so they used up all their $1M to maybe find a vuln ?

            thatone: At this point, they are selling, for much moola per seat software for code reviews, aimed at "security experts".

            cow: Sorry i will expand on my q.

            V exist everywhere but it takes a look of looking. M & G spent far more than $1M and if you cmpute the cost of each vuln they find, the cost of each just for the lookers is more than 1M for each.

            WHo spents soo much when they have so little to find a V that earns them nothing ?

            At least gold prospectors found gold, a V is worth nothing.

            1. that one in the corner Silver badge

              > cow: thanks, so they used up all their $1M to maybe find a vuln ?

              No. They used that money to set up their company and get their product into a state ready for sale. Just as you expect a startup to do.

              Go and *read* the links - they provide services to help with security, and one thing they do is look for vulns.

              1. CowHorseFrog Silver badge

                TOITC:

                No. They used that money to set up their company and get their product into a state ready for sale. Just as you expect a startup to do.

                Go and *read* the links - they provide services to help with security, and one thing they do is look for vulns.

                COW: But nobody paid them to look for this ghostcript V because there is no ghostscript megacorp that is interested and can pay to prevent V and thats my point. Who invests all that time looking for V that nobody is going to pay for ?

          2. CowHorseFrog Silver badge

            You missed the point, that it costs a lot of luck and money to find v. WHy would anyone spend soo much effort and money to find something worth basically nothing. Who pays for all the other experts who find nothing ?

            1. that one in the corner Silver badge

              > WHy would anyone spend soo much effort and money to find something worth basically nothing. Who pays for all the other experts who find nothing ?

              Q: Why do road car manufacturers build Formula race cars? They are worth basically nothing (they used to feed some tech back into road cars, but who needs a massive regen storage flywheel weighing down a road cat?).

              A: because it is good advertising and pulls in the punters

              Plus, companies who are worried about the costs that vulns may cause them are quite happy to pay a (to them) small amount of money to keep vuln hunters in coffee and pizza: any vuln found can (probably) save them far more.

              Look at it this way: why pay for something like data backup, it does not add s single penny to the bottom line. Even when you need to act on your DR plan, it is all cost and no gain to the bottom line. But it is a *SMALLER* cost than not doing DR.

              Isn't all this pretty basic stuff?

      2. Bartholomew
        Coat

        > Certainly not my employer... security is an unnecessary cost, not an advantage, according to them.

        I think many look on security like Ad*be used to (not sure if it is still the case or not). People do not pay us for security patches, they pay us for new features that they can use to make money. It is in our terms and conditions, we are not responsible for your security, or any losses you may make or profits that fail to make they are not our problem. Security is not at the core of our business, why should we need to invest money where we will never see a return on that investment. We will create patches when paying customers report issues, but we do not need to be proactive - that just wastes money that could be used to pay bonuses to management for record profits!

        1. CowHorseFrog Silver badge

          And this is why bad consequences of any software company should be linked to the criminal action against corporate leaders. If they can claim they are worthy of bonnuses, they can also claim the responsibility for bad stuff happening because of their leadership.

  8. that one in the corner Silver badge

    Clearly PostScript qua PostScript is just old NeWS now; maybe move on from GhostScript[3]

    From the blog linked to by the article:

    > It is good to remember that Postscript is a well-featured Turing-complete programming language ... All of this puts Ghostscript in an odd place where it wants to allow all these legacy use-cases, but it is also commonly being used as a conversion tool on untrusted files, which are often treated more as static graphic descriptions rather than as programs.

    "legacy use-cases"?

    So PostScript is just some nasty old "legacy" language (with the usual implication of "legacy" that it should be buried and forgotten)? Leave it as some oddball implemenation detail of our gorgeous laser printers but otherwise brush it under the carpet?

    Look, except for having a bit of fun, *I* don't make use of PsTricks in my TeX/LaTeX documents[1]. But I also don't make use of a scanning electron microscope, a laser cooling rig or even a visual interferometry alignment device[2]. But those who do need that sort of power and complexity can produce some damn impressive and useful results.

    GhostScript *is* a PostScript interpreter, first and foremost. And jolly good it is too.

    If GhostScript is "in an odd place" (and one that risks opening unexpected vulnerabilities) then is it not down to any "legacy" PostScript usage but to the fact that it is being used to *also* run the lesser variant of PostScript implemented within PDF (is it still referred to as "Interchange PostScript" aka "IPS"? Or just referred to as "whatever is inside PDF"?). It is obvious why and how a full interpreter came to be running PDFs as well, it was almost inevitable (and the way that this then became, and remains, so widely used, when there are competing bits of software that only the PDF subset, speaks well for the results).

    HOWEVER, perhaps a lot of the people who put Ghostscript into their pipeline purely for handling PDF ought to be lightly castigated for not promoting the use of GhostPDF, which is just a PDF interpreter, separated from the PostScript interpreter, and can perhaps be gently guided away from some of the complexities discussed in the Codean blog (and the concerns that the Ghostscript authors talk about in their blog post) and vulnerabilities that arise from those.

    [1] And I'm well aware that using TeX/LaTeX is a minority sport, even around El Reg readers (although, I argue that if you are ever going to programmatically generate PDFs you can do a lot worse than starting with LaTeX, especially if you like to include your inputs in your choice of plain-text version control system), PsTricks more so.

    [2] actually, only because my telescopes are refractors, so I leave the alignment of compound reflectors to the other members of the local amateur astronomy club.

    [3] if all you need is PDF, consider GhostPDF

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like