CVE-2023-43115

2023-09-1800:00:00

ubuntu.com

artifex ghostscript

remote code execution

postscript

ijs device

safer

file opening path validation

ghostpdl

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

58.8%

JSON

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to
remote code execution via crafted PostScript documents because they can
switch to the IJS device, or change the IjsServer parameter, after SAFER
has been activated. NOTE: it is a documented risk that the IJS server can
be specified on a gs command line (the IJS device inherently must execute a
command to start the IJS server).

Bugs

<https://bugs.ghostscript.com/show_bug.cgi?id=707051>

Notes

Author	Note
rodrigo-zaiden	the risk of having programs being executed with IJS server is documented in the start of the devices/gdevijs.c source file and in the online documentation: https://ghostscript.readthedocs.io/en/gs10.02.0/Devices.html#ijs-inkjet-and-other-raster-devices “Note also that if -dSAFER is not specified, it’s possible for PostScript code to set this parameter, so it can cause arbitrary code to be executed.” the commit that fixes this issue makes it clear that there is no way to properly validate it. what the fix does is to provide a minimal guard based on file opening path validation. it will prevent PostScript programs switching to the IJS device after SAFER has been activated. file opening path validation was added in version 9.28, with commmit 9de16a6637b73e35f79d2d622de403b24e6502f2, so in Ubuntu it is applicable starting from focal, for previous versions, the remediation is not applicable. applying file opening path validation for older versions sounds risky and could possible bring other problems.

Author

Note

rodrigo-zaiden

the risk of having programs being executed with IJS server is documented in the start of the devices/gdevijs.c source file and in the online documentation: https://ghostscript.readthedocs.io/en/gs10.02.0/Devices.html#ijs-inkjet-and-other-raster-devices “Note also that if -dSAFER is not specified, it’s possible for PostScript code to set this parameter, so it can cause arbitrary code to be executed.” the commit that fixes this issue makes it clear that there is no way to properly validate it. what the fix does is to provide a minimal guard based on file opening path validation. it will prevent PostScript programs switching to the IJS device after SAFER has been activated. file opening path validation was added in version 9.28, with commmit 9de16a6637b73e35f79d2d622de403b24e6502f2, so in Ubuntu it is applicable starting from focal, for previous versions, the remediation is not applicable. applying file opening path validation for older versions sounds risky and could possible bring other problems.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchghostscript< 9.50~dfsg-5ubuntu4.11UNKNOWN
ubuntu22.04noarchghostscript< 9.55.0~dfsg1-0ubuntu5.5UNKNOWN
ubuntu23.04noarchghostscript< 10.0.0~dfsg1-0ubuntu1.4UNKNOWN
ubuntu23.10noarchghostscript< 10.01.2~dfsg1-0ubuntu2.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	ghostscript	< 9.50~dfsg-5ubuntu4.11	UNKNOWN
ubuntu	22.04	noarch	ghostscript	< 9.55.0~dfsg1-0ubuntu5.5	UNKNOWN
ubuntu	23.04	noarch	ghostscript	< 10.0.0~dfsg1-0ubuntu1.4	UNKNOWN
ubuntu	23.10	noarch	ghostscript	< 10.01.2~dfsg1-0ubuntu2.1	UNKNOWN