Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-43115
HistorySep 18, 2023 - 12:00 a.m.

CVE-2023-43115

2023-09-1800:00:00
ubuntu.com
ubuntu.com
24
artifex ghostscript
remote code execution
postscript
ijs device
safer
file opening path validation
ghostpdl

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

58.7%

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to
remote code execution via crafted PostScript documents because they can
switch to the IJS device, or change the IjsServer parameter, after SAFER
has been activated. NOTE: it is a documented risk that the IJS server can
be specified on a gs command line (the IJS device inherently must execute a
command to start the IJS server).

Bugs

Notes

Author Note
rodrigo-zaiden the risk of having programs being executed with IJS server is documented in the start of the devices/gdevijs.c source file and in the online documentation: https://ghostscript.readthedocs.io/en/gs10.02.0/Devices.html#ijs-inkjet-and-other-raster-devices “Note also that if -dSAFER is not specified, it’s possible for PostScript code to set this parameter, so it can cause arbitrary code to be executed.” the commit that fixes this issue makes it clear that there is no way to properly validate it. what the fix does is to provide a minimal guard based on file opening path validation. it will prevent PostScript programs switching to the IJS device after SAFER has been activated. file opening path validation was added in version 9.28, with commmit 9de16a6637b73e35f79d2d622de403b24e6502f2, so in Ubuntu it is applicable starting from focal, for previous versions, the remediation is not applicable. applying file opening path validation for older versions sounds risky and could possible bring other problems.
OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchghostscript< 9.50~dfsg-5ubuntu4.11UNKNOWN
ubuntu22.04noarchghostscript< 9.55.0~dfsg1-0ubuntu5.5UNKNOWN
ubuntu23.04noarchghostscript< 10.0.0~dfsg1-0ubuntu1.4UNKNOWN
ubuntu23.10noarchghostscript< 10.01.2~dfsg1-0ubuntu2.1UNKNOWN

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

58.7%