Find your dream job at PaperCut
Ghost Script Vulnerabilities
Background
There have been numerous Ghost Script vulnerabilities identified over the years. Some PaperCut products use Ghost Script as 3rd party libraries, and are then flagged as vulnerable when performing vulnerability scans.
Ghost Script vulnerabilities include:
- CVE-2019-14869 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-14817 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-14813 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-14812 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-14811 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2019-10216 - Ghostscript 9.x up to 9.50 (fixed in 9.50)
- CVE-2020-16302 - Ghostscript 9.50 (fixed in 9.51)
- CVE-2020-16303 - Ghostscript 9.50 (fixed in 9.51)
- CVE-2020-16304 - Ghostscript 9.50 (fixed in 9.51)
Mobility Print
The following applies to Windows only if Ghostscript is used from GhostTrap package
Mobility Print for PaperCut currently uses Ghostscript version 9.10 by default before version 1.0.3461.
New installs after 1.0.3461 use the latest GhostTrap based on Ghostscript 9.27 at this time.
For Windows, it is recommended to manually install the latest GhostTrap if using 1.0.3461 or later and restart the service.
However, if you need to remove any other vulnerabilities beyond what’s in the packaged Ghostscript, you can switch to using your chosen distribution of Ghostscript with the latest version via the below steps:
macOS and Linux
Ensure you’re using the latest version (9.55) of Ghostscript, which would have been installed as part of the Mobility Print setup steps.
Windows
If you already have GhostTrap installed as documented in the Mobility Print setup steps, then proceed with the following. Otherwise first install Ghost Trap and then continue with the instructions below:
You’ll need to install the latest Ghostscript version on top of the GhostTrap installation, and update the registry to use that newly installed version.
Note that following these steps means that you will be responsible for maintaining updates for Ghostscript and will also lose any protections from the Chromium sandboxing as discussed above.
- Download the latest Ghostscript for Windows installer from here. This will install to, e.g.,
C:\Program Files\gs\gs9.55.0 - Copy the GhostScript binary in the bin folder (
gswin64c.exe) togsc-trapped.exe. Note: make a copy so that you land up with both the originalgswin64c.exeand the new copy namedgsc-trapped.exe. - Head into the registry and find:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GhostTrap - Update
InstallPathto:C:\Program Files\gs\gs9.55.0(or wherever you installed the new Ghostscript binaries to) - Delete the folder
C:\Program Files (x86)\GhostTrap(this removes the old Ghostscript files). Note: don’t uninstall GhostTrap, since this will remove the registry key required, as noted above. - Restart Mobility Print service and send a PostScript print job to test. Note: the Mobility Print logs will show if ps2pdf is found and working, e.g.:
2022/03/09 11:26:33 mobility-print.exe: STDOUT|SUPPORT: ps2pdf is found and is working: {”ps2pdf”:”C:\\PROGRA~1\\gs\\GS955?~1.0\\bin\\gsc-trapped.exe”} {”src”:”ps2pdf.go:50”}
Product updates
As a longer term fix, we are hoping to update Mobility Print to include the latest patched versions of Ghost Script. If you have questions about the above or questions about the update, please contact us and mention this KB as well as reference [PO-351]. Thank you!
Categories: How-to Articles, Security and Privacy
Keywords: ghost trap, ghost script
Comments