When something's weird in your ImageMagick upload, who ya gonna call? Ghostbusters!

This cannot be good

One of the web enterprise apps I developed uses Ghostscript.NET to convert PDF files (alongside Bitmap, GIF and PNG files) to JPEG for storage in SQL Server, and do the reverse when the user requests a "photo album" of their JPEG images, which the app will grab the relevant JPEG images (in this case, digital copies of issued certificates for the customer), compile them into a PDF, and let the customer download it. Removing ghostscript would completely break this which is one of the main functionality of the program.

Although, as it stands only authorized employees are allowed to perform any image uploads at all. But I shudder to think what will happen if someone manages to steal the credentials of one of the employees.

Why is Ghostscript is allowed to be so daft tho? They've been alive for over 30 years, and have plenty of time to implement input sanitization.

ImageTragick

We've used the thing as a quick solution some years ago to convert user-submitted PDFs and pictures to standard formatted and resolution limited image files. A few months ago we gave up our laziness and wrote our own thing, which had two effects - the conversion takes tenths of a second instead of tens of seconds, and the servers suddenly ceased to develop unexplained instances of bluescreenitis. Together with the change in licensing of GhostScript some months (or is it years already?) ago makes the whole ImageMagick&GhostScript Combo not very appealing.

Discloure; I am part of the Ghostscript development team.

It is highly unfortunate that, due to a consensus of opinion on a mailing list, this issue was not responsibly disclosed. The information was made public before the development team was made aware of any problems. The Project Zero team state that vendors are informed privately and given 90 days to respond, in this case the first we knew of any problems was when a friendly distributor tipped us off that disclosure had already occurred. The bugs in question were not reported to us until *after* the CERT was issued.

RAMChYLD "Why is Ghostscript is allowed to be so daft tho? They've been alive for over 30 years, and have plenty of time to implement input sanitization."

It is unfortunately true that software has bugs, since you're a software developer I'm sure you are aware of this. We've already done a lot to respond to security issues, in fact Tavis refers to a previous disclosure which *also* went public before informing us and which we rapidly addressed. So we're a little disappointed not to have been contacted in the first instance.

Nevertheless, the point is that Ghostscript is a PostScript interpreter, and PostScript is a programming language. Its not too terribly surprising to discover that if you run random programs on your computer, they can be malicious!

Note that in the case of PDF files none of the exploits so far reported to us, at least, are possible. You need to use *PostScript* files. Of course if you differentiate your files by extension then its possible to disguise a PostScript file as a PDF file, so we're not being complacent about this. The same is also true of PCL, PXL and XPS files, despite Tavis's comment about disabling these as well in policy.xml, and in the case of PCL, PXL and XPS files, even disguising a PostScript file with an extension won't get you anywhere, the file simply won't process and will throw an error.

Finally, this is open source software (though your usage sounds suspiciously like it may not be legal under the AGPL) so nobody 'allows it'. The software is supplied 'as is' without warranty or support. You did read the licence yes ?