Linux distributors, open source developers warned to update Ghostscript

Share post:

Linux distributors and application developers using the open-source Ghostscript interpreter for the PostScript language and PDFs are being urged to apply the latest security patch for the utility after the discovery of a major hole.

This vulnerability, CVE-2023-36664, was assigned a CVSS score of 9.8, and could allow for code execution caused by Ghostscript mishandling permission validation for pipe devices.

Versions prior to 10.01.2 are at risk.

Ghostscript is used heavily in Linux and is often installed by default, say researchers at
Kroll.
But when the applications that use Ghostscript are ported to other operating systems such as Windows, they will continue to use a port of Ghostscript on the new operating system.

This means, the report says, that rather than impacting only one operating system, the vulnerability has the potential to affect many, particularly those with printing or publishing applications that make use of open-source components.

First released in 1988, Ghostscript has been part of many Linux distributions’ default installs. The Kroll report notes it is rarely used directly. Instead it is frequently used by other open-source software packages to help with printing or converting files. It is a required dependency for “cups-filters,” which is a core component of the Common Unix Printing System (CUPS), Linux’s primary mechanism for printing and print services. Other applications make use of Ghostscript for reading and saving PostScript (PS), Embedded PostScript (EPS) or PDF files.

On a Debian 12 system, Kroll says, 131 packages depend on Ghostscript. The list of applications that use Ghostscript includes notable desktop and productivity applications such as LibreOffice, Inkscape, and Scribus, along with other tools such as ImageMagick (which itself is a dependency of many important applications).

The Ghostscript vulnerability disclosure indicates that the issue relates to operating system pipes, which the Kroll report says are a mechanism for separate pieces of software to talk to each other through the output of one application being the input of another. These pipes are often represented by the “|” symbol on the command line. The vulnerability description also states that the issue relates to a permissions validation.

Kroll recommends updating Linux and affected systems to the latest security patch levels for Ghostscript. Applications that have the ability to render PDF or EPS files should also be checked for Ghostscript usage and updated as patches become available from the vendor. And infosec pros should ensure all endpoints are regularly patched and updated to defend against known vulnerabilities that threat actors may exploit.

The post Linux distributors, open source developers warned to update Ghostscript first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways