Ghostscript security issue CVE-2017-8291

fm3 · May 24, 2017, 9:40am

I am surprised no one is talking about this, no blog, no info:
Ghostscript security vulnerabilty CVE-2017-8291
PDFCreator V 2.5.2 is using GS 9.19 so it is affected ?
http://openwall.com/lists/oss-security/2017/04/28/2

Any news on this Robin?

Robin.W · May 24, 2017, 12:22pm

Hi,

thanks for pointing this out, this is the first time I see anything about this, so we will look into this right away. In general it should be possible to replace the gs installed in the PDFCreator program folder (only a subset is installed, so I am not sure if the vulnerability applies to PDFCreator) with the latest version. However, this is of course untested and might cause problems under certain conditions.
At first glance,it seems unlikely the vulnerability can't be exploited easily in connection with PDFCreator, as PDFCreator can't use eps input, but we will update as soon as possible, since Ghostscript binaries are copied to the users machine during the PDFCreator setup.

Best regards,

Robin

fm3 · May 24, 2017, 1:23pm

Hi Robin,

right now there is no public update for the ghostscript windows binaries - v9.21 is the newest available at this moment and that seems to be vulnerable too.
Replacing the bin / lib for a 2.3.2 installation caused PDFCreator to stop working and showing a ghostscript error when generating. Didn’t try it with 2.5.2…

Thanks for replying so fast

fm3 · June 23, 2017, 11:34am

Hello Robin,

do you know when the new PDFCreator with actual ghostscript 9.21 is going to be released?
We cannot simply replace the ghostscript in bin and lib because this doesn’t work with PDFcreator.
Please…

Robin.W · June 23, 2017, 11:47am

Hi,

I can’t really say when this is going to be possible.
It is more likely that we will directly uise the first official release which has this fixed, since updating Ghostscript inside PDFCreator can cause a lot of problems and requires intensive testing. Have you tried with PDFCreaotr 2.5.2? PDFCreator 2.3.2 still uses Ghostscript 9.10 which is incompatible to Ghostscript v 9.19, so it is certainly incompatible to even newer versions.

Best regards,

Robin

fm3 · June 23, 2017, 12:40pm

Hi Robin,

just tested it with 2.5.2 and at first glance it seems to be ok to replace the bin and lib with GS 9.21, no errors so far.
Looks like that would be a feasible solution for the next Ghostscript release!

Thank you

SecQ · June 27, 2018, 1:10am

Hi thr,

Could you please clarrify if this vulnerability affects an windows 7 machine which has the PDF creator 2.5.2 ?