Security Experts:

Connect with us

Hi, what are you looking for?



Unpatched Ghostscript Vulnerabilities Impact Popular Software

Ghostscript Impacted by Multiple -dSAFER Sandbox Bypass Vulnerabilities

Ghostscript Impacted by Multiple -dSAFER Sandbox Bypass Vulnerabilities

Unpatched vulnerabilities in Ghostscript impact a broad range of popular software products, including several Linux distributions, CERT/CC reveals in a Tuesday alert.

Ghostscript, a suite of software based on an interpreter for Adobe’s PostScript and PDF page description languages, is widely used across stand-alone and web applications, including packages such as GIMP and ImageMagick.

The same as other highly popular software out there, vulnerabilities in Ghostscript are valuable targets for both cybercriminals and threat actors, and such flaws have been already abused by North Korea-linked hackers.

Now, Google Project Zero security researcher Tavis Ormandy says that Ghostscript is impacted by multiple critical vulnerabilities and that “ImageMagick, Evince, GIMP, and most other PDF/PS tools” are impacted as well.

In addition to several -dSAFER sandbox escapes reported a few years ago, the popular interpreter is also impacted by “a few file disclosure, shell command execution, memory corruption and type confusion bugs,” the researcher says.

Although there is a -dSAFER option to prevent unsafe PostScript operations, there are numerous operations that bypass the protections provided by -dSAFER, thus allowing an attacker to execute arbitrary commands with arbitrary arguments, the CERT/CC warns.

In their alert, CERT/CC notes not only that there are multiple -dSAFER sandbox bypass vulnerabilities impacting Ghostscript, but also that these are inherited in all applications that leverage the interpreter. These flaws could be exploited by an unauthenticated attacker for remote command execution.

Artifex Software, ImageMagick, Red Hat, and Ubuntu products have been already found to be affected, but other products might be impacted as well. Thus, CERT/CC decided to warn all major software companies on the issue.

One solution to the issue, Ormandy notes, is to disable all the ghostscript coders in policy.xml. CERT/CC also advises the use of policy.xml security policy to disable the processing of PS, EPS, PDF, and XPS content.

“In the short term the advice for distribution to start disabling PS, EPS, PDF and XPS coders by default is the only defense until a fix is available,” Stephen Giguere, Sales Engineer at Synopsys, confirms in an emailed statement for SecurityWeek.

“Ghostscript is used pretty much everywhere and has been for a very long time. Packages like GIMP (a Photoshop alternative) but more important for web applications, ImageMagick are prevalent to the extent of being standard for the processing of PDF files. This exploit has the potential for file system access leading to sensitive data leak and more as it can be the beachhead opportunity for a more comprehensive data breach,” Giguere says.

 Related: North Korean Hackers Prep Attacks Against Cryptocurrency Exchanges: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.