Gimp-Forum.net GIMP General questions
CVE-2023-36664 Update?

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
CVE-2023-36664 Update?
Gp_Ego_2.1 Offline
Newbie
**
Posts: 3
Threads: 1
Joined: Jul 2023
Reputation: 0
Gimp version: 3.0
#1
07-19-2023, 05:55 AM
Hello together, 
is there any news on the CVE-2023-36664 vulnerability (Ghostscript)? Is there an update planned? And if so, by when can it be expected?
Many greetings
Find
Reply
Ofnuts Offline
Administrator
*******
Posts: 6,024
Threads: 258
Joined: Oct 2016
Reputation: 538
Operating system(s):
  • Linux

Gimp version: 2.10
#2
07-19-2023, 06:42 AM
Why should Gimp be impacted? If you run it on Linux, it uses the system Ghostscript (assuming it uses Ghoscrript).
Find
Reply
Gp_Ego_2.1 Offline
Newbie
**
Posts: 3
Threads: 1
Joined: Jul 2023
Reputation: 0
Gimp version: 3.0
#3
07-19-2023, 07:30 AM
There are several references to Gimp and the vulnerability under Windows, here is an example:

Critical Vulnerability in Ghostscript
Published on 13 Jul 2023 | Updated on 13 Jul 2023
Security researchers have discovered a critical vulnerability (CVE-2023-3664) in Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code through a specially crafted file due to improper handling of permission validation for pipe devices.
The vulnerability affects all versions of Ghostscript before 10.01.2. Applications on other operating systems, such as Windows, that use a port of affected Ghostscript versions also inherit this vulnerability.
Users and administrators of Linux systems are advised to upgrade to the latest version of Ghostscript, 10.01.2, using their distribution's package manager.
Users and administrators of open-source software that use ports of Ghostscript, such as LibreOffice, GIMP, Inkscape, Scribus, and ImageMagick, are advised to update to the latest versions when they are made available.
Sigma rules to detect possible exploitation of CVE-2023-3664 are available at https://github.com/KrollCYB/Kroll-CYB/tr...2023-36664.
More information is available here:
https://www.kroll.com/en/insights/public...nerability
https://www.bleepingcomputer.com/news/se...f-library/
Find
Reply
rich2005 Offline
Administrator
*******
Posts: 6,852
Threads: 153
Joined: Oct 2016
Reputation: 963
Operating system(s):
  • Linux

Gimp version: 2.10
#4
07-19-2023, 07:57 AM (This post was last modified: 07-19-2023, 08:04 AM by rich2005. Edit Reason: typo )
It is "Proof of concept" and "Exploitation can occur upon opening a file."

No need to be paranoid, has anyone found such a file ? Ghostscript (GS) handles postscript (including PDF) files. At one time GS was a separate Gimp installation, now it is embedded so you will probably have to wait for a Gimp installer revision.

If you are worried about it, reinstall Gimp and use the customise option. It is on by default, untick Postscript support.

   

For linux, (ubuntu 20.04 and 22.04) I did notice a GS update a couple of days ago. Maybe that was the patch.
I see ImageMagick (IM) mentioned. IM uses a policy file and GS has been disabled in that for a long time.

Bottom line, and the same for anything / everything, be careful what you download. Avoid dubious PDF's from those dodgy Russian sites Smile
Find
Reply
Gp_Ego_2.1 Offline
Newbie
**
Posts: 3
Threads: 1
Joined: Jul 2023
Reputation: 0
Gimp version: 3.0
#5
07-19-2023, 08:04 AM
Ah, okay.

Thank you very much for the quick help.
Find
Reply


Forum Jump: