CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
78.8%
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to
remote code execution via crafted PostScript documents because they can
switch to the IJS device, or change the IjsServer parameter, after SAFER
has been activated. NOTE: it is a documented risk that the IJS server can
be specified on a gs command line (the IJS device inherently must execute a
command to start the IJS server).
Author | Note |
---|---|
rodrigo-zaiden | the risk of having programs being executed with IJS server is documented in the start of the devices/gdevijs.c source file and in the online documentation: https://ghostscript.readthedocs.io/en/gs10.02.0/Devices.html#ijs-inkjet-and-other-raster-devices βNote also that if -dSAFER is not specified, itβs possible for PostScript code to set this parameter, so it can cause arbitrary code to be executed.β the commit that fixes this issue makes it clear that there is no way to properly validate it. what the fix does is to provide a minimal guard based on file opening path validation. it will prevent PostScript programs switching to the IJS device after SAFER has been activated. file opening path validation was added in version 9.28, with commmit 9de16a6637b73e35f79d2d622de403b24e6502f2, so in Ubuntu it is applicable starting from focal, for previous versions, the remediation is not applicable. applying file opening path validation for older versions sounds risky and could possible bring other problems. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | ghostscript | <Β 9.50~dfsg-5ubuntu4.11 | UNKNOWN |
ubuntu | 22.04 | noarch | ghostscript | <Β 9.55.0~dfsg1-0ubuntu5.5 | UNKNOWN |
ubuntu | 23.04 | noarch | ghostscript | <Β 10.0.0~dfsg1-0ubuntu1.4 | UNKNOWN |
ubuntu | 23.10 | noarch | ghostscript | <Β 10.01.2~dfsg1-0ubuntu2.1 | UNKNOWN |