Ghost Script Vulnerabilities

Background

There have been numerous Ghost Script vulnerabilities identified over the years. Some PaperCut products use Ghost Script as 3rd party libraries, and are then flagged as vulnerable when performing vulnerability scans.

Ghost Script vulnerabilities include:

Mobility Print

The following applies to Windows only if Ghostscript is used from GhostTrap package

Mobility Print for PaperCut currently uses Ghostscript version 9.10 by default before version 1.0.3461. New installs after 1.0.3461 use the latest GhostTrap based on Ghostscript 9.27 at this time.

For Windows, it is recommended to manually install the latest GhostTrap if using 1.0.3461 or later and restart the service.

However, if you need to remove any other vulnerabilities beyond what’s in the packaged Ghostscript, you can switch to using your chosen distribution of Ghostscript with the latest version via the below steps:

macOS and Linux

Ensure you’re using the latest version (9.55) of Ghostscript, which would have been installed as part of the Mobility Print setup steps.

Windows

If you already have GhostTrap installed as documented in the Mobility Print setup steps, then proceed with the following. Otherwise first install Ghost Trap and then continue with the instructions below:

You’ll need to install the latest Ghostscript version on top of the GhostTrap installation, and update the registry to use that newly installed version.

Note that following these steps means that you will be responsible for maintaining updates for Ghostscript and will also lose any protections from the Chromium sandboxing as discussed above.

  1. Download the latest Ghostscript for Windows installer from here. This will install to, e.g., C:\Program Files\gs\gs9.55.0
  2. Copy the GhostScript binary in the bin folder (gswin64c.exe) to gsc-trapped.exe. Note: make a copy so that you land up with both the original gswin64c.exe and the new copy named gsc-trapped.exe.
  3. Head into the registry and find: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GhostTrap
  4. Update InstallPath to: C:\Program Files\gs\gs9.55.0 (or wherever you installed the new Ghostscript binaries to)
  5. Delete the folder C:\Program Files (x86)\GhostTrap (this removes the old Ghostscript files). Note: don’t uninstall GhostTrap, since this will remove the registry key required, as noted above.
  6. Restart Mobility Print service and send a PostScript print job to test. Note: the Mobility Print logs will show if ps2pdf is found and working, e.g.:

2022/03/09 11:26:33 mobility-print.exe: STDOUT|SUPPORT: ps2pdf is found and is working: {”ps2pdf”:”C:\\PROGRA~1\\gs\\GS955?~1.0\\bin\\gsc-trapped.exe”} {”src”:”ps2pdf.go:50”}

Product updates

As a longer term fix, we are hoping to update Mobility Print to include the latest patched versions of Ghost Script. If you have questions about the above or questions about the update, please contact us and mention this KB as well as reference [PO-351]. Thank you!

Categories: How-to Articles, Security and Privacy

Keywords: ghost trap, ghost script

Comments