Ghostscript, a free and open-source implementation of Adobe’s PostScript document composition system and PDF file format, has recently released version 10.01.2 to address a bug that could potentially allow attackers to execute system commands. This bug, known as CVE-2023-36664, allowed rogue documents to manipulate the Ghostscript rendering engine and trick the software into running arbitrary commands.
The issue stemmed from Ghostscript’s handling of output filenames, which could be redirected to a pipe rather than a regular file. Pipes are system objects that behave like files, allowing data to be passed between programs without writing to disk. However, this feature can be exploited if remote content specifies a filename that triggers the execution of a command instead of writing to a file.
To mitigate this vulnerability, the Ghostscript team added a check to detect the presence of the dangerous text “%pipe” at the start of a filename. Initially, the code only checked for the presence of “%pipe” before considering the filename safe. However, the team later realized that plain pipe characters (“|”) could also be used to initiate a pipeline command, so the code was updated to handle both cases.
Users of standalone Ghostscript packages managed by Unix or Linux distros are advised to update to the latest version to protect against this vulnerability. Those using software that includes a bundled version of Ghostscript should contact their provider for information on upgrading the component.
This incident serves as a reminder to programmers to thoroughly examine their code for potential vulnerabilities. Relying solely on obvious bug fixes may leave room for similar coding mistakes to be overlooked. It is important to consider the broader context and consider other potential attack vectors that could exploit existing vulnerabilities.
By taking proactive measures and remaining vigilant, users and developers can help ensure the security and integrity of their systems and software. Regular updates and patch management are essential, as vulnerabilities can often be identified and addressed through ongoing monitoring and cooperation within the software community.