Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities

Overview

Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

Description

Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.

Exploit code for this vulnerability is publicly available.

---

Impact

By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code. This action may be triggered with actions as simple as downloading a file from a website.

---

Solution

Apply an update

This issue is addressed in Ghostscript version 9.24. Please also consider the following workarounds:

---

Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml

ImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the policy.xml security policy to disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the <policymap> section of the /etc/ImageMagick/policy.xml file on a RedHat system:

<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" /> <policy domain="coder" rights="none" pattern="EPS" /> <policy domain="coder" rights="none" pattern="PDF" /> <policy domain="coder" rights="none" pattern="XPS" />
Check with your vendor for the proper location of this file on your platform. Note that this workaround only mitigates the ImageMagick attack vector to Ghostscript.

Remove Ghostscript

Because of the number of different attack vectors to get to Ghostscript and the public availability of exploit code, the most effective protection for this vulnerability is to remove Ghostscript from your system until a fixed version is available.

Patch Ghostscript

Artifex software has made the following patches available for Ghostscript:

<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764&gt;

Vendor Information

332928

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Artifex Software, Inc. __ Affected

Notified: August 24, 2018 Updated: September 06, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Ghostscript security vulnerabilities resolved

Novato, CA August 24, 2018 – Artifex Software is pleased to report that the recently
disclosed security vulnerabilities in Ghostscript have been resolved. On August 21,
2018, a Google Project Zero security researcher, disclosed Ghostscript
security vulnerabilities, a CERT advisory was released that day as well.

As of August 24, 2018, all reported problems have been fixed and will be part of the
next Ghostscript release in late September. Individual patches are available now in the
Ghostscript repository and are listed below. We recommend applying these security
fixes as soon as possible.

<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01&gt;
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614&gt;

Artifex takes security issues very seriously and strongly encourages responsible and
coordinated disclosure of vulnerabilities. Developers should be given the opportunity to
fix security problems in advance of public disclosure.

Vendor References

• <https://ghostscript.com/doc/9.24/History9.htm#Version9.24&gt;

CentOS Affected

Notified: August 21, 2018 Updated: August 22, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Affected

Notified: August 21, 2018 Updated: August 22, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Affected

Notified: August 21, 2018 Updated: August 22, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Affected

Notified: August 21, 2018 Updated: August 22, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Affected

Notified: August 21, 2018 Updated: August 22, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ImageMagick Affected

Notified: August 24, 2018 Updated: August 24, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Notified: August 21, 2018 Updated: August 21, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Affected

Notified: August 21, 2018 Updated: August 22, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Synology Affected

Updated: August 23, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://www.synology.com/en-global/support/security/Synology_SA_18_49&gt;

Ubuntu Affected

Notified: August 21, 2018 Updated: March 13, 2019

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://usn.ubuntu.com/3768-1/&gt;

Apple Not Affected

Notified: August 21, 2018 Updated: August 27, 2018

Statement Date: August 27, 2018

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS Not Affected

Notified: August 21, 2018 Updated: August 21, 2018

Statement Date: August 21, 2018

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ASP Linux Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arch Linux Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc. Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dell EMC Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DesktopBSD Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ENEA Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Geexbox Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google Unknown

Notified: August 27, 2018 Updated: August 27, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HP Inc. Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HardenedBSD Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett Packard Enterprise Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HomeSeer Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM, INC. Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Illumos Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Joyent Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Marconi, Inc. Unknown

Notified: August 24, 2018 Updated: August 24, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Micro Focus Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NAS4Free Unknown

Notified: August 24, 2018 Updated: August 24, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nexenta Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OmniTI Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenIndiana Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc. Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The Open Group Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group (SCO Unix) Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Tizen Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TrueOS Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall Unknown

Notified: August 21, 2018 Updated: August 21, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 57 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	6.8	E:F/RL:W/RC:C
Environmental	6.8	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

• <https://ghostscript.com/doc/9.24/History9.htm#Version9.24&gt;
• <http://openwall.com/lists/oss-security/2018/08/21/2&gt;
• <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640&gt;
• <https://www.imagemagick.org/script/security-policy.php&gt;
• <https://www.imagemagick.org/script/resources.php&gt;
• <https://www.ghostscript.com/doc/current/Use.htm#Safer&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486&gt;
• <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764&gt;

Acknowledgements

This vulnerability was publicly disclosed by Tavis Ormandy.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2018-16509
Date Public:	2018-02-21 Date First Published: