Semmle Discovers Vulnerabilities in Ghostscript Interpreter Used to Process Postscript and PDF Files
Semmle announced today that it discovered a series of vulnerabilities which could allow for remote takeover of systems running unpatched versions of Ghostscript, an interpreter that processes Postscript and PDF files. Ghostscript is included with most Linux distributions and commonly used by websites, web services, applications and cloud platforms. The vulnerabilities (CVE-2018-19475, CVE-2018-19134, CVE-2018-19476 and CVE-2018-19477) found by Semmle researcher Man Yue Mo, are variants of the critical vulnerabilities discovered by Tavis Ormandy of Project Zero in August. The vulnerabilities have been patched in Ghostscript 9.26, which was released yesterday.
This article was last updated on November 26 with details about the exact CVE numbers.
Ghostscript is used by a large number of applications, including ImageMagick, Evince, GIMP, and other PDF/PS tools. It is shipped with many (if not all) Linux distributions, including Red Hat, Ubuntu, and Debian. If a maliciously-crafted file were to be opened or processed on an unpatched system, a remote attacker could gain privileges and take complete control over a vulnerable machine. Because it can attain the same privilege level as the user who runs the application, it can then be used to attack other devices on the same network. The vulnerability is easy to exploit.
Users of Ghostscript should immediately upgrade their systems to the latest version, which can be downloaded here. Most Linux distributions will be working to include the Ghostscript patch in the software packages they supply to end-users in the days and weeks to come.
“Ghostscript is widely used software for many applications in many organizations, built into any software that uses PDF. It’s a Swiss Army Knife, basically.”
The vulnerabilities were discovered by Man Yue Mo as part of his work for the Semmle Security Research Team. Once Tavis Ormandy of Project Zero identified initial vulnerabilities in Ghostscript, Mo used Semmle QL to conduct variant analysis by writing queries to find similar vulnerable patterns in the source code. Mo will be posting an in-depth explanation of how he discovered the vulnerabilities in Ghostscript on the LGTM Blog in two weeks, allowing time for patches to be distributed and applied on affected system.
The Ghostscript vulnerabilities were discovered and reported according to this timeline:
CVE-2018-19475 - RCE through stack buffer overflow (in the video above):
CVE-2018-19134 - RCE through type confusion:
CVE-2018-19476 and CVE-2018-19477 - potential RCE through type confusion:
Semmle takes coordinated disclosure very seriously. In accordance with our standard practice, the Semmle Security Research Team has collaborated with Artifex to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and our disclosure policy, visit semmle.com/security.
At Semmle we believe security knowledge should be a shared resource, and the only way to prevent attacks is by bringing together the community of security researchers across the world to share our collective expertise. Semmle’s Security Research Team collaborates with open source teams and enterprises to continually discover and disclose vulnerabilities in popular open source components.
Semmle’s flagship product, LGTM detects security vulnerabilities and other critical bugs in code bases and software portfolios. LGTM is powered by Semmle’s QL technology, a variant analysis engine that allows developers to write queries for deep semantic code search. Both LGTM and QL are free to use for open source projects at LGTM.com.
At the time of this disclosure, LGTM.com is continuously analyzing every commit of more than 100,000 open source projects. Project teams from organizations including NASA and Google rely on LGTM.com, while closed source code bases within these organizations are analyzed by Semmle’s enterprise product range.
Semmle secures the software that runs the world, with analytics that developers love and CIOs trust. Software engineering and security teams at Credit Suisse, Dell, Google, Microsoft, NASA and Nasdaq depend on the Semmle analytics platform to create more reliable and trustworthy code without slowing down. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Copenhagen, New York City, Oxford, Seattle and Valencia.