Security update: GhostScript 9.25 (2018-09-13)

Posted on 2018-09-19 by guenni

[German]Just a brief information for users of GhostScript software (often used in software to display or create PDF files). The developers have already released a security update to GhostScript 9.25 on September 13, 2018, which closes vulnerabilities. An update is strongly recommended. 

Advertising

What is GhostScript?

GhostScript (GS) is a suite of software based on an interpreter for Adobe Systems' PostScript and Portable Document Format(PDF) page description languages. Its main purposes are the rasterization or rendering of such page description language files, for the display or printing of document pages, and the conversion between PostScript and PDF files. GhostScript has been developed by Peter Deutsch (the commercial license is available at Artifed Software).  GS is available for Linux, Unix, VMS, Windows, macOS, Mac OS Classic, MSDOS, OS/2 etc. GS is included in many software products (I guess most of all PDF printers and editors, but also Gimp, ImageMagick etc.).

Security update to GhostScript 9.25

German blog reader Ralf Lindemann left this comment, mentions, that GhostScript 9.25 is released since September 13, 2018 (thanks for the hint). The developers write here that this version fixes issues with argument handling, some unintended results of security fixes to SAFER file access restrictions (especially when accessing ICC profile files), and some additional security issues of the latest version 9.24.

Update strongly recommended

According to the linked article, the focus of this release was on fixing various security issues. This includes fixes for several (well known) real and potential attack scenarios. The developers strongly recommend that users update to this latest version to avoid these problems.

The developers also point out that the ps2epsi utility (generates EPSi files) cannot and will not call Ghostscript with the -dSAFER command line option. It should never be called with input from untrusted sources. You can download the software from this page.

Note: GhostScript is often part of other software. For example, I use the BullZip PDF Printer, which relies on GhostScript. Therefore I downloaded GhostScript as 32-bit version, renamed the old folder gs in the program folder and installed the new version of GhostScript 9.25 in the subfolder gs.  

Similar articles:
Unpatched vulnerability in GhostScript interpreter
6 year old loop bug in many PDF viewers

Advertising
Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *