CVE-2024-46956
📋 TL;DR
This vulnerability in Ghostscript allows out-of-bounds memory access in the filenameforall function, which could lead to arbitrary code execution. It affects systems running Ghostscript before version 10.04.0, particularly those processing untrusted PostScript or PDF files.
💻 Affected Systems
- Artifex Ghostscript
📦 What is this software?
Ghostscript by Artifex
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the Ghostscript process, potentially leading to full system compromise.
Likely Case
Application crash or denial of service; code execution is possible but requires specific memory layout conditions.
If Mitigated
Limited impact if Ghostscript runs in sandboxed environments or with reduced privileges.
🎯 Exploit Status
Exploitation requires crafting a malicious file; no public exploit code is known as of the advisory dates.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.04.0
Vendor Advisory: https://github.com/ArtifexSoftware/ghostpdl/blob/master/doc/News.html
Restart Required: No
Instructions:
1. Download Ghostscript 10.04.0 or later from the official website. 2. Compile and install according to system instructions. 3. Verify the update with 'gs --version'.
🔧 Temporary Workarounds
Disable Ghostscript in vulnerable services
linuxRemove or disable Ghostscript from applications that process untrusted files, such as image converters or document viewers.
sudo apt remove ghostscript
sudo yum remove ghostscript
Run Ghostscript in sandboxed mode
allUse the -dSAFER flag to restrict file system access and reduce exploit impact.
gs -dSAFER -sDEVICE=... input.ps
🧯 If You Can't Patch
- Restrict Ghostscript to trusted users and limit file processing to known-safe sources.
- Monitor system logs for crashes or unusual activity related to Ghostscript processes.
🔍 How to Verify
Check if Vulnerable:
Run 'gs --version' and check if the version is below 10.04.0.Check Version:
gs --versionVerify Fix Applied:
After updating, run 'gs --version' to confirm version 10.04.0 or higher is installed.📡 Detection & Monitoring
Log Indicators:
- Segmentation faults or crashes in Ghostscript processes
- Error messages related to 'filenameforall' or 'zfile.c'
Network Indicators:
- Unusual file uploads to services using Ghostscript
- Increased network traffic from document processing systems
SIEM Query:
process_name:"gs" AND (event_type:"crash" OR error_message:"segmentation fault")🔗 References
- https://bugs.ghostscript.com/show_bug.cgi?id=707895
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3ed26c24327de714bf2c3ed6ca
- https://github.com/ArtifexSoftware/ghostpdl/blob/master/doc/News.html
- https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/
- https://lists.debian.org/debian-lts-announce/2024/11/msg00023.html
