Semmle Discovers Vulnerabilities in Ghostscript Interpreter Used to Process Postscript and PDF Files

Semmle announced today that it discovered a series of vulnerabilities which could allow for remote takeover of systems running unpatched versions of Ghostscript, an interpreter that processes Postscript and PDF files. Ghostscript is included with most Linux distributions and commonly used by websites, web services, applications and cloud platforms. The vulnerabilities (CVE-2018-19475CVE-2018-19134CVE-2018-19476 and CVE-2018-19477) found by Semmle researcher Man Yue Mo, are variants of the critical vulnerabilities discovered by Tavis Ormandy of Project Zero in August. The vulnerabilities have been patched in Ghostscript 9.26, which was released yesterday.

This article was last updated on November 26 with details about the exact CVE numbers.  

Severity and mitigation

Ghostscript is used by a large number of applications, including ImageMagick, Evince, GIMP, and other PDF/PS tools. It is shipped with many (if not all) Linux distributions, including Red Hat, Ubuntu, and Debian. If a maliciously-crafted file were to be opened or processed  on an unpatched system, a remote attacker could gain privileges and take complete control over a vulnerable machine. Because it can attain the same privilege level as the user who runs the application, it can then be used to attack other devices on the same network. The vulnerability is easy to exploit.

Users of Ghostscript should immediately upgrade their systems to the latest version, which can be downloaded here. Most Linux distributions will be working to include the Ghostscript patch in the software packages they supply to end-users in the days and weeks to come.

“Ghostscript is widely used software for many applications in many organizations, built into any software that uses PDF. It’s a Swiss Army Knife, basically.”

Man Yue Mo / Security Researcher at Semmle

About the discovery

The vulnerabilities were discovered by Man Yue Mo as part of his work for the Semmle Security Research Team. Once Tavis Ormandy of Project Zero identified initial vulnerabilities in Ghostscript, Mo used Semmle QL to conduct variant analysis by writing queries to find similar vulnerable patterns in the source code. Mo will be posting an in-depth explanation of how he discovered the vulnerabilities in Ghostscript on the LGTM Blog in two weeks, allowing time for patches to be distributed and applied on affected system.

Disclosure timelines

The Ghostscript vulnerabilities were discovered and reported according to this timeline:

CVE-2018-19475 - RCE through stack buffer overflow (in the video above):

  • November 12, 2018: Discovery of the vulnerability.
  • November 12: Privately disclosed to Artifex, the developers of Ghostscript. Proof-of-concept exploit included.
  • November 13: Report acknowledged and fixed by Artifex.
  • November 20: Artifex releases patched version 9.26 of Ghostscript.

CVE-2018-19134 - RCE through type confusion:

  • November 8, 2018: Discovery of the vulnerability.
  • November 8: Privately disclosed to Artifex, the developers of Ghostscript. Proof-of-concept exploit included.
  • November 8: Report acknowledged and fixed by Artifex.
  • November 20: Artifex releases patched version 9.26 of Ghostscript.

CVE-2018-19476 and CVE-2018-19477 - potential RCE through type confusion:

  • November 13, 2018: Discovery of the vulnerabilities.
  • November 13: Privately disclosed to Artifex, the developers of Ghostscript. Proof-of-concept exploit included.
  • November 14: Report acknowledged and fixed by Artifex.
  • November 20: Artifex releases patched version 9.26 of Ghostscript

Coordinated disclosure

Semmle takes coordinated disclosure very seriously. In accordance with our standard practice, the Semmle Security Research Team has collaborated with Artifex to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and our disclosure policy, visit semmle.com/security.

How Semmle keeps your code safe

At Semmle we believe security knowledge should be a shared resource, and the only way to prevent attacks is by bringing together the community of security researchers across the world to share our collective expertise. Semmle’s Security Research Team collaborates with open source teams and enterprises to continually discover and disclose vulnerabilities in popular open source components.

Semmle’s flagship product, LGTM detects security vulnerabilities and other critical bugs in code bases and software portfolios. LGTM is powered by Semmle’s QL technology, a variant analysis engine that allows developers to write queries for deep semantic code search. Both LGTM and QL are free to use for open source projects at LGTM.com

At the time of this disclosure, LGTM.com is continuously analyzing every commit of more than 100,000 open source projects. Project teams from organizations including NASA and Google rely on LGTM.com, while closed source code bases within these organizations are analyzed by Semmle’s enterprise product range.

About Semmle

Semmle secures the software that runs the world, with analytics that developers love and CIOs trust. Software engineering and security teams at Credit Suisse, Dell, Google, Microsoft, NASA and Nasdaq depend on the Semmle analytics platform to create more reliable and trustworthy code without slowing down. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Copenhagen, New York City, Oxford, Seattle and Valencia.

Contact information

If you would like to speak to us about this vulnerability, please contact us at security@semmle.com, or reach out on Twitter: @SemmleInc @lgtmhq

Book a demo

Learn how Semmle lets you create reliable and trustworthy code without slowing down.

Enter your info below, and we will contact you shortly to book a convenient time.

Name *

!

Email *

!

Company *

!

Number of
developers

Phone

We will store the information you provide in this form so that we can send you tailored information about our products and services. For more information, see our privacy notice

Please check the form for errors marked with “!”.

Request demo