{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2018-023.pdf"
    },
    "title": "Major Vulnerability in Ghostscript",
    "serial_number": "2018-023",
    "publish_date": "24-08-2018 13:46:00",
    "description": "Ghostscript -- an interpreter for PostScript and PDF -- is affected by a major vulnerability. There is currently no patch available, but some workarounds are possible.",
    "url_title": "2018-023",
    "content_markdown": "---\ntitle: 'Major Vulnerability in Ghostscript'\nversion: '1.0'\nnumber: '2018-023'\ndate: 'August 24, 2018'\n---\n\n_History:_\n\n* _24/08/2018 --- v1.0: Initial publication_\n\n# Summary\n\nGhostscript -- an interpreter for PostScript and PDF -- is affected by a major vulnerability. There is currently no patch available, but some workarounds are possible.\n\n# Technical Details\n\nTavis Ormandy, a Google Project Zero security researcher, released details about a major vulnerability in Ghostscript [1]. To exploit this vulnerability, all an attacker needs to do is to send a specially crafted malicious file (which could be a PDF, PS, EPS, or XPS) to a victim, which, if opened with an application leveraging vulnerable Ghostscript, could allow the attacker to completely take over the targeted system [4].\n\nGhostscript suite includes a built-in `-dSAFER` sandbox protection option that handles untrusted documents, preventing unsafe or malicious PostScript operations from being executed. However, there are multiple `-dSAFER` sandbox bypass vulnerabilities, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system [3].\n\nThere is currently no CVE for this vulnerability.\n\n# Products Affected\n\nThe Ghostscript interpreter is embedded in several operating systems, software suites, and libraries that allow desktop software and web servers to handle PostScript and PDF-based documents [2].\n\n\n# Recommendations\n\nThere is no solution for this issue for the moment. There is only the workaround mentioned below.\n\n## Workarounds\n\nThe researcher advise Linux distributions to disable the processing of PS, EPS, PDF, and XPS content until the issue is addressed [1].\n\nFor ImageMagick, an image processing library widely used in Linux, it is recommended to disable PS, EPS, PDF, and XPS coders in ImageMagick `policy.xml` [3].\nImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the `policy.xml` security policy to disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the `<policymap>` section of the `/etc/ImageMagick/policy.xml` file on a RedHat system:\n\n    <policy domain=\"coder\" rights=\"none\" pattern=\"PS\" />\n    <policy domain=\"coder\" rights=\"none\" pattern=\"PS2\" />\n    <policy domain=\"coder\" rights=\"none\" pattern=\"PS3\" />\n    <policy domain=\"coder\" rights=\"none\" pattern=\"EPS\" />\n    <policy domain=\"coder\" rights=\"none\" pattern=\"PDF\" />\n    <policy domain=\"coder\" rights=\"none\" pattern=\"XPS\" />\n\n# References\n\n[1] <http://openwall.com/lists/oss-security/2018/08/21/2>\n\n[2] <https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=332928&SearchOrder=4>\n\n[3] <https://www.kb.cert.org/vuls/id/332928>\n\n[4] <https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>24/08/2018 --- v1.0: Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Ghostscript -- an interpreter for PostScript and PDF -- is affected by a major vulnerability. There is currently no patch available, but some workarounds are possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>Tavis Ormandy, a Google Project Zero security researcher, released details about a major vulnerability in Ghostscript [1]. To exploit this vulnerability, all an attacker needs to do is to send a specially crafted malicious file (which could be a PDF, PS, EPS, or XPS) to a victim, which, if opened with an application leveraging vulnerable Ghostscript, could allow the attacker to completely take over the targeted system [4].</p><p>Ghostscript suite includes a built-in <code>-dSAFER</code> sandbox protection option that handles untrusted documents, preventing unsafe or malicious PostScript operations from being executed. However, there are multiple <code>-dSAFER</code> sandbox bypass vulnerabilities, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system [3].</p><p>There is currently no CVE for this vulnerability.</p><h2 id=\"products-affected\">Products Affected</h2><p>The Ghostscript interpreter is embedded in several operating systems, software suites, and libraries that allow desktop software and web servers to handle PostScript and PDF-based documents [2].</p><h2 id=\"recommendations\">Recommendations</h2><p>There is no solution for this issue for the moment. There is only the workaround mentioned below.</p><h3 id=\"workarounds\">Workarounds</h3><p>The researcher advise Linux distributions to disable the processing of PS, EPS, PDF, and XPS content until the issue is addressed [1].</p><p>For ImageMagick, an image processing library widely used in Linux, it is recommended to disable PS, EPS, PDF, and XPS coders in ImageMagick <code>policy.xml</code> [3]. ImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the <code>policy.xml</code> security policy to disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the <code>&lt;policymap&gt;</code> section of the <code>/etc/ImageMagick/policy.xml</code> file on a RedHat system:</p><pre><code>&lt;policy domain=\"coder\" rights=\"none\" pattern=\"PS\" /&gt;\n&lt;policy domain=\"coder\" rights=\"none\" pattern=\"PS2\" /&gt;\n&lt;policy domain=\"coder\" rights=\"none\" pattern=\"PS3\" /&gt;\n&lt;policy domain=\"coder\" rights=\"none\" pattern=\"EPS\" /&gt;\n&lt;policy domain=\"coder\" rights=\"none\" pattern=\"PDF\" /&gt;\n&lt;policy domain=\"coder\" rights=\"none\" pattern=\"XPS\" /&gt;\n</code></pre><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"http://openwall.com/lists/oss-security/2018/08/21/2\">http://openwall.com/lists/oss-security/2018/08/21/2</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=332928&SearchOrder=4\">https://www.kb.cert.org/vuls/byvendor?searchview&amp;Query=FIELD+Reference=332928&amp;SearchOrder=4</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.kb.cert.org/vuls/id/332928\">https://www.kb.cert.org/vuls/id/332928</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/\">https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}