CVE-2023-36664: Flaw in Ghostscript Could Allow Command Execution
A high-severity vulnerability in Ghostscript tagged as CVE-2023-36664 could allow an attacker to take over a routine and even execute commands on systems.
For those unacquainted with the backstage of software utilities, Ghostscript is the unsung hero of the PostScript and PDF world. Almost invisibly embedded in hundreds of software suites and coding libraries, it forms the backbone for handling PostScript and PDF-based documents. You’ll find it functioning diligently inside software like ImageMagick, Evince, GIMP, and every PDF editor or viewer you can think of. Even the open-source graphics powerhouse Inkscape relies heavily on Ghostscript.
Ghostscript has traditionally been a reliable solution, frequently used behind the scenes by other programs and incorporated into various cloud services. But a recent bug highlighted a vulnerability that could enable malicious documents to execute system commands.
This bug, appropriately assigned the chilling moniker CVE-2023-36664, remained dormant until the recent release of Ghostscript version 10.01.2. The cause? A feature of Ghostscript that allowed the handling of filenames for output to be manipulated, tricking the Ghostscript rendering engine into executing potentially harmful system commands.
Let’s unpack this a little. Pipes, in computing, are system objects that behave like files. They allow data to be written to them as if they were a storage disk. However, the data doesn’t actually end up on the disk; instead, it finds a temporary home in a block of memory. This feature makes pipes exceptionally useful for transporting data from one program to another.
The trouble starts when a specially formatted filename, indicating a pipeline rather than a file, is allowed. Such a filename could potentially kick-start a command to run. Ghostscript had such a feature, permitting output to be directed to a specially formatted filename beginning with %pipe% or |, which could potentially launch a command on the unsuspecting victim’s computer.
This vulnerability issue has been addressed in the latest release of Ghostscript. It serves as a potent reminder of the need for careful handling of filenames and outputs in software development.
For all the potential victims, the remedy is straightforward – ensure that your Ghostscript is updated to version 10.01.2 or above. You can do this manually or through your application’s automatic update feature if available.
