Ghost Script Vulnerabilities
There have been numerous Ghost Script vulnerabilities identified over the years. Some PaperCut products use Ghost Script as 3rd party libraries, and are then flagged as vulnerable when performing vulnerability scans.
Ghost Script vulnerabilities include:
- CVE-2019-14869 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-14817 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-14813 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-14812 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-14811 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-10216 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2020-16302 - Ghostscript 9.50 (fixed in 9.51)
- CVE-2020-16303 - Ghostscript 9.50 (fixed in 9.51)
- CVE-2020-16304 - Ghostscript 9.50 (fixed in 9.51)
The following applies to Windows only if Ghostscript is used from GhostTrap package
For Windows, it is recommended to manually install the latest GhostTrap if using 1.0.3461 or later and restart the service.
However, if you need to remove any other vulnerabilities beyond what’s in the packaged Ghostscript, you can switch to using your chosen distribution of Ghostscript with the latest version via the below steps:
macOS and Linux
Ensure you’re using the latest version (9.55) of Ghostscript, which would have been installed as part of the Mobility Print setup steps.
If you already have GhostTrap installed as documented in the Mobility Print setup steps, then proceed with the following. Otherwise first install Ghost Trap and then continue with the instructions below:
You’ll need to install the latest Ghostscript version on top of the GhostTrap installation, and update the registry to use that newly installed version.
Note that following these steps means that you will be responsible for maintaining updates for Ghostscript and will also lose any protections from the Chromium sandboxing as discussed above.
- Download the latest Ghostscript for Windows installer from here. This will install to, e.g.,
- Copy the GhostScript binary in the bin folder (
gsc-trapped.exe. Note: make a copy so that you land up with both the original
gswin64c.exeand the new copy named
- Head into the registry and find:
C:\Program Files\gs\gs9.55.0(or wherever you installed the new Ghostscript binaries to)
- Delete the folder
C:\Program Files (x86)\GhostTrap(this removes the old Ghostscript files). Note: don’t uninstall GhostTrap, since this will remove the registry key required, as noted above.
- Restart Mobility Print service and send a PostScript print job to test. Note: the Mobility Print logs will show if ps2pdf is found and working, e.g.:
As a longer term fix, we are hoping to update Mobility Print to include the latest patched versions of Ghost Script. If you have questions about the above or questions about the update, please contact us and mention this KB as well as reference [PO-351]. Thank you!
Keywords: ghost trap, ghost script