Ghostscript security issue CVE-2017-8291


#1

I am surprised no one is talking about this, no blog, no info:
Ghostscript security vulnerabilty CVE-2017-8291
PDFCreator V 2.5.2 is using GS 9.19 so it is affected ?
http://openwall.com/lists/oss-security/2017/04/28/2

Any news on this Robin?


#2

Hi,

thanks for pointing this out, this is the first time I see anything about this, so we will look into this right away. In general it should be possible to replace the gs installed in the PDFCreator program folder (only a subset is installed, so I am not sure if the vulnerability applies to PDFCreator) with the latest version. However, this is of course untested and might cause problems under certain conditions.
At first glance,it seems unlikely the vulnerability can't be exploited easily in connection with PDFCreator, as PDFCreator can't use eps input, but we will update as soon as possible, since Ghostscript binaries are copied to the users machine during the PDFCreator setup.

Best regards,

Robin


#3

Hi Robin,

right now there is no public update for the ghostscript windows binaries - v9.21 is the newest available at this moment and that seems to be vulnerable too.
Replacing the bin / lib for a 2.3.2 installation caused PDFCreator to stop working and showing a ghostscript error when generating. Didn’t try it with 2.5.2…

Thanks for replying so fast :slight_smile:


#4

Hello Robin,

do you know when the new PDFCreator with actual ghostscript 9.21 is going to be released?
We cannot simply replace the ghostscript in bin and lib because this doesn’t work with PDFcreator.
Please…


#5

Hi,

I can’t really say when this is going to be possible.
It is more likely that we will directly uise the first official release which has this fixed, since updating Ghostscript inside PDFCreator can cause a lot of problems and requires intensive testing. Have you tried with PDFCreaotr 2.5.2? PDFCreator 2.3.2 still uses Ghostscript 9.10 which is incompatible to Ghostscript v 9.19, so it is certainly incompatible to even newer versions.

Best regards,

Robin


#6

Hi Robin,

just tested it with 2.5.2 and at first glance it seems to be ok to replace the bin and lib with GS 9.21, no errors so far.
Looks like that would be a feasible solution for the next Ghostscript release!

Thank you


#7

Hi thr,

Could you please clarrify if this vulnerability affects an windows 7 machine which has the PDF creator 2.5.2 ?