Even if you haven’t heard of the venerable Ghostscript project, you may very well have used it without knowing. Ghostscript is a free and open-source implementation of Adobe’s widely-used PostScript document composition system and its even-more-widely-used PDF file format, short for Portable Document Format. It is commonly used behind the scenes in various software applications to import vector graphics files or convert program code into a more suitable format for displaying or printing. However, until the latest release of Ghostscript, a bug called CVE-2023-36664 allowed malicious documents to not only create pages of text and graphics but also send system commands to trick the software into running them. This bug arose due to Ghostscript’s handling of filenames for output, which made it possible to send the output into a pipe rather than a regular file.
Pipes, or system objects that pretend to be files, are used to send data from one program to another without saving it to a temporary file first. This is useful for process chains where the output of one program serves as the input for another. However, Ghostscript’s “feature” allowed users to specify a filename starting with %pipe% or |, giving them the ability to launch a command on the victim’s computer. The Ghostscript team attempted to fix this bug but inadvertently introduced another vulnerability by allowing both the | character and the %pipe% prefix.
To protect yourself, ensure that you have the latest version of Ghostscript if it is managed by your operating system or package manager. If you have software that comes with a bundled version of Ghostscript, check with the provider for details on upgrading the component. As a programmer, it is important to not solely rely on obvious bug fixes and consider other potential coding blunders or tricks that could exploit known vulnerabilities. Always be thorough in your vulnerability-squashing work.
1. Ghostscript is a widely-used implementation of Adobe’s PostScript and PDF file format.
2. A bug in Ghostscript allowed malicious documents to execute system commands.
3. The bug arose due to Ghostscript’s handling of filenames for output, allowing data to be sent into a pipe instead of a regular file.
4. The Ghostscript team attempted to fix the bug but introduced another vulnerability in the process.
5. Users should update to the latest version of Ghostscript and programmers should be thorough in their vulnerability-squashing work.