Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CVE-2023-36664 Update?
#1
Hello together, 
is there any news on the CVE-2023-36664 vulnerability (Ghostscript)? Is there an update planned? And if so, by when can it be expected?
Many greetings
Reply
#2
Why should Gimp be impacted? If you run it on Linux, it uses the system Ghostscript (assuming it uses Ghoscrript).
Reply
#3
There are several references to Gimp and the vulnerability under Windows, here is an example:

Critical Vulnerability in Ghostscript
Published on 13 Jul 2023 | Updated on 13 Jul 2023
Security researchers have discovered a critical vulnerability (CVE-2023-3664) in Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code through a specially crafted file due to improper handling of permission validation for pipe devices.
The vulnerability affects all versions of Ghostscript before 10.01.2. Applications on other operating systems, such as Windows, that use a port of affected Ghostscript versions also inherit this vulnerability.
Users and administrators of Linux systems are advised to upgrade to the latest version of Ghostscript, 10.01.2, using their distribution's package manager.
Users and administrators of open-source software that use ports of Ghostscript, such as LibreOffice, GIMP, Inkscape, Scribus, and ImageMagick, are advised to update to the latest versions when they are made available.
Sigma rules to detect possible exploitation of CVE-2023-3664 are available at https://github.com/KrollCYB/Kroll-CYB/tr...2023-36664.
More information is available here:
https://www.kroll.com/en/insights/public...nerability
https://www.bleepingcomputer.com/news/se...f-library/
Reply
#4
It is "Proof of concept" and "Exploitation can occur upon opening a file."

No need to be paranoid, has anyone found such a file ? Ghostscript (GS) handles postscript (including PDF) files. At one time GS was a separate Gimp installation, now it is embedded so you will probably have to wait for a Gimp installer revision.

If you are worried about it, reinstall Gimp and use the customise option. It is on by default, untick Postscript support.

   

For linux, (ubuntu 20.04 and 22.04) I did notice a GS update a couple of days ago. Maybe that was the patch.
I see ImageMagick (IM) mentioned. IM uses a policy file and GS has been disabled in that for a long time.

Bottom line, and the same for anything / everything, be careful what you download. Avoid dubious PDF's from those dodgy Russian sites Smile
Reply
#5
Ah, okay.

Thank you very much for the quick help.
Reply


Forum Jump: