Arch Linux Security Advisory ASA-202109-3

Severity: High
Date : 2021-09-14
CVE-ID : CVE-2021-3781
Package : ghostscript
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2374

Summary

The package ghostscript before version 9.54.0-3 is vulnerable to
arbitrary command execution.

Resolution

Upgrade to 9.54.0-3.

pacman -Syu “ghostscript>=9.54.0-3”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

A trivial sandbox (enabled with the -dSAFER option) escape security
issue was found in the ghostscript interpreter by injecting a specially
crafted pipe command. This flaw allows a specially crafted document to
execute arbitrary commands on the system in the context of the
ghostscript interpreter.

Impact

An attacker could execute arbitrary commands through crafted documents,
bypassing the interpreter’s sandbox.

References

https://bugzilla.redhat.com/show_bug.cgi?id=2002271
https://bugs.ghostscript.com/show_bug.cgi?id=704342
https://twitter.com/emil_lerner/status/1430502815181463559
https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20
https://security.archlinux.org/CVE-2021-3781