CVE-2024-29511
📋 TL;DR
This vulnerability in Ghostscript with Tesseract OCR allows attackers to read arbitrary files and write error messages to arbitrary locations via directory traversal in OCRLanguage parameters. Systems using Ghostscript with Tesseract OCR enabled are affected, particularly those processing untrusted PDF files. The vulnerability can lead to sensitive file disclosure and potential file corruption.
💻 Affected Systems
- Artifex Ghostscript
📦 What is this software?
Ghostscript by Artifex
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/shadow, SSH keys, or configuration files, and potential denial of service by overwriting critical system files with error messages.
Likely Case
Unauthorized reading of sensitive files containing credentials, configuration data, or personal information from the server filesystem.
If Mitigated
Limited impact if Ghostscript runs in sandboxed environments with restricted filesystem access and processes only trusted documents.
🎯 Exploit Status
Exploitation requires the ability to supply malicious OCRLanguage parameters, typically through processing untrusted PDF files. The vulnerability details and exploitation methods are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.03.1
Vendor Advisory: https://bugs.ghostscript.com/show_bug.cgi?id=707510
Restart Required: Yes
Instructions:
1. Download Ghostscript 10.03.1 or later from official sources. 2. Stop all Ghostscript services. 3. Install the updated version following your distribution's package management procedures. 4. Restart services using Ghostscript.
🔧 Temporary Workarounds
Disable Tesseract OCR
allDisable OCR functionality if not required, preventing exploitation of this vulnerability.
Modify Ghostscript configuration to remove or disable OCR support
Set environment variable GS_OPTIONS to exclude OCR features
Sandbox Ghostscript Execution
linuxRun Ghostscript in a restricted environment with limited filesystem access.
Use chroot, containers, or AppArmor/SELinux policies to restrict filesystem access
🧯 If You Can't Patch
- Implement strict input validation and sanitization for OCRLanguage parameters
- Run Ghostscript with minimal privileges and restricted filesystem access using security frameworks
🔍 How to Verify
Check if Vulnerable:
Check Ghostscript version and verify if Tesseract OCR is enabled. Use: gs --version and check configuration for OCR settings.Check Version:
gs --versionVerify Fix Applied:
Confirm Ghostscript version is 10.03.1 or later with: gs --version📡 Detection & Monitoring
Log Indicators:
- Unusual OCRLanguage parameter values containing path traversal sequences (../)
- Ghostscript errors related to file access outside expected directories
Network Indicators:
- Unusual PDF processing requests with OCR parameters from untrusted sources
SIEM Query:
source="ghostscript" AND (ocrlanguage="*../*" OR error="*permission denied*" OR error="*no such file*")🔗 References
- https://bugs.ghostscript.com/show_bug.cgi?id=707510
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=3d4cfdc1a44
- https://www.openwall.com/lists/oss-security/2024/07/03/7
- https://bugs.ghostscript.com/show_bug.cgi?id=707510
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=3d4cfdc1a44
- https://www.openwall.com/lists/oss-security/2024/07/03/7
