Synopsis: The file access protection built into Ghostscript proved insufficient for the "%pipe%" PostScript device, when combined with Ghostscript's requirement to be able to create and control temporary files in the conventional temporary file directories (for example, "/tmp" or "/temp). This exploit is restricted to Unix-like systems (i.e., it doesn't affect Windows). The most severe claimed results are only feasible if the exploit is run as a "high privilege" user (root/superuser level) \u2013 a practice we would discourage under any circumstances.

Resolution: The solution involves including the device specifier string ("%pipe%") in the permissions checking, meaning the entire file name string is validated, rather than (as before) only the sub-string following the device specifier.

To remediate CVE-2021-3781 please apply the following patch: Patch

We are not issuing a patch release at this time, as this fix will be included with the official Ghostscript/GhostPDL 9.55.0 release, which is expected by the end of September.

Impacted Product Releases:

  • Ghostscript/GhostPDL 9.50
  • Ghostscript/GhostPDL 9.52
  • Ghostscript/GhostPDL 9.53.3
  • Ghostscript/GhostPDL 9.54.0