ghostscript vulnerablity and upgrade ?

[bgroper]

Hi forum
Do we need to be concerned about the cve referenced in this media report ?

Critical RCE found in popular Ghostscript open-source PDF library

Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux, has been found vulnerable to a critical-severity remote code execution flaw.

www.bleepingcomputer.com

Please, what is the-right-way to upgrade ghostscript to version 10.01.2 or later as recommended by the bleeping computer journalist ?

 

[SirDice]

Please, what is the-right-way to upgrade ghostscript to version 10.01.2 or later

You upgrade your ports/packages.

print/ghostscript10 is at 10.01.2, in quarterly and latest.

ports - FreeBSD ports tree

cgit.freebsd.org

 

[bgroper]

I must be doing something wrong. My ghostscript seems stuck in 9.56.1

[root@freebsd13-desktop ~]# uname -a
FreeBSD freebsd13-desktop 13.2-RELEASE-p1 FreeBSD 13.2-RELEASE-p1 GENERIC amd64
[root@freebsd13-desktop ~]# pkg update
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
[root@freebsd13-desktop ~]# pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[root@freebsd13-desktop ~]# gs -v
GPL Ghostscript 9.56.1 (2022-04-04)
Copyright (C) 2022 Artifex Software, Inc.  All rights reserved.
[root@freebsd13-desktop ~]#

Pleases and thankyous to help me understand my error.

 

[mer]

pkg info | grep -i ghostscript

That will probably show you having ghostscript9 installed.
SirDice is showing a port named "ghostscript10".

pkg search ghostscript shows:
ghostscript10-10.01.2 PostScript and PDF interpreter
ghostscript10-x11-10.01.2 PostScript and PDF interpreter
ghostscript9-agpl-base-9.56.1_11 PostScript and PDF interpreter
ghostscript9-agpl-x11-9.56.1 PostScript and PDF interpreter, X11 support

You'll have to see what other packages are using ghostscript9. On my system I have ghostscript9-agpl-base/x11 which are used by ImageMagick7, cups-filters and a few others.

 

[SirDice]

Is this bug present in 9? I haven't checked further but it's quite possible for a bug to exist in specific versions. In other words your 9.x version might not be vulnerable to this bug so no reason to upgrade.

The ghostscript version is set by default to 9. So all packages are going to depend on 9.x, not 10.x. If you really want to switch to 10 then you will have to build from ports and set the appropriate DEFAULT_VERSIONS.

 

[SirDice]

After a bit of checking, seems this bug is also present in 9.

June 27, 2023: Ghostscript/GhostPDL 10.01.2 release fixes CVE-2023-36664.

CVE-2023-36664 affects all Ghostscript/GhostPDL versions prior to 10.01.2.

Ghostscript

Ghostscript is the #1 PDL conversion and interpreter tool available, offering native rendering of PDF, PostScript, PCL, XPS, raster and vector files, as well as ASCII text.

ghostscript.com

So, set DEFAULT_VERSIONS+= ghostscript=10 in make.conf and rebuild everything that depends on Ghostscript.

 

[Michael-O]

Maintainer of print/ghostscript10 here: I wouldn't recommend using GS9 for several reasons:
* Unsupported by upstream
* Custom downstream patches break use cases (for me too)
* Port maintainer does not respond

I requested to expire and remove this port: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272131

I would everyone to move to 10. I will create an issue in August to move the default version to 10 with the next quarterly.

 

[mer]

Michael-O thanks for the update. Looking at dependencies on my system, I think in theory it should be a trivial upgrade, but of course theory and reality may be at odds.

 

[bgroper]

After a bit of checking, seems this bug is also present in 9.
....
So, set DEFAULT_VERSIONS+= ghostscript=10 in make.conf and rebuild everything that depends on Ghostscript.

Please, what is the-right-way to discover everything that depends upon Ghostscript ?
Sorry if my question is trivial. Yes, I'm new to FreeBSD.

 

[monwarez]

You can get a first list of reverse dependency with: pkg query %rn ghostscript9-agpl-base.
Then you construct the dependency tree by doing a full traversal of each direct dependency (like ImageMagick7, inkscape, etc.).
A program to show the dependency tree of a program with pkg already exists but I don't recall the name (in combination with the dot program to generate the graph).

 

[bgroper]

Hmmm, thanks for the backfeed.
As a FreeBSD newbie, I'm trying to keep my installation as close to stock plain vanilla as possible.
Might be best for me to wait for an update to gs that I presume will eventually be included in the usual pkg update && pkg upgrade sequence.

 

[SirDice]

Might be best for me to wait for an update to gs that I presume will eventually be included in the usual pkg update && pkg upgrade sequence.

Yes, if the default has been changed the packages will get updated accordingly. When everything's set and done you just need to perform the regular package updates.