Massive hole in Ghostscript


I’m amused to see Ghostscript described as a small library, but deeply annoyed that a critical “run arbitrary code on your machine” vulnerability disclosed sometime last year is still unfixed, despite it having been verified and bug bounties paid out.

The new proof-of-concept exploit is only 20 lines of Python.

Since it’s embedded in all sorts of software, you may not know that you’re affected by this hole, or for how long you’ll be vulnerable. All it takes is for something in your daily workflow to decide to render a downloaded SVG file via GS.


Comments via Isso

Markdown formatting and simple HTML accepted.

Sometimes you have to double-click to enter text in the form (interaction between Isso and Bootstrap?). Tab is more reliable.