Vulnerability Note VU#332928

Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities

Original Release date: 21 Aug 2018 | Last revised: 06 Sep 2018


Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.


Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.

Exploit code for this vulnerability is publicly available.


By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code. This action may be triggered with actions as simple as downloading a file from a website.


Apple an update

This issue is addressed in Ghostscript version 9.24. Please also consider the following workarounds:

Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml

ImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the policy.xml security policy to disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the <policymap> section of the /etc/ImageMagick/policy.xml file on a RedHat system:

    <policy domain="coder" rights="none" pattern="PS" />
    <policy domain="coder" rights="none" pattern="PS2" />
    <policy domain="coder" rights="none" pattern="PS3" />
    <policy domain="coder" rights="none" pattern="EPS" />
    <policy domain="coder" rights="none" pattern="PDF" />
    <policy domain="coder" rights="none" pattern="XPS" />

Check with your vendor for the proper location of this file on your platform. Note that this workaround only mitigates the ImageMagick attack vector to Ghostscript.

Remove Ghostscript

Because of the number of different attack vectors to get to Ghostscript and the public availability of exploit code, the most effective protection for this vulnerability is to remove Ghostscript from your system until a fixed version is available.

Patch Ghostscript

Artifex software has made the following patches available for Ghostscript:;a=commitdiff;h=b575e1ec;a=commitdiff;h=8e9ce501;a=commitdiff;h=241d9111;a=commitdiff;h=c432131c;a=commitdiff;h=e01e77a3;a=commitdiff;h=0edd3d6c;a=commitdiff;h=a054156d;a=commitdiff;h=0d390118;a=commitdiff;h=c3476dde;a=commitdiff;h=b326a716;a=commitdiff;h=78911a01;a=commitdiff;h=5516c614;a=commitdiff;h=78911a01b6;a=commitdiff;h=5516c614dc33;a=commitdiff;h=79cccf641486;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Artifex Software, Inc.Affected24 Aug 201806 Sep 2018
CentOSAffected21 Aug 201822 Aug 2018
Debian GNU/LinuxAffected21 Aug 201822 Aug 2018
Fedora ProjectAffected21 Aug 201822 Aug 2018
FreeBSD ProjectAffected21 Aug 201822 Aug 2018
Gentoo LinuxAffected21 Aug 201822 Aug 2018
ImageMagickAffected24 Aug 201824 Aug 2018
Red Hat, Inc.Affected21 Aug 201821 Aug 2018
SUSE LinuxAffected21 Aug 201822 Aug 2018
SynologyAffected-23 Aug 2018
UbuntuAffected21 Aug 201821 Aug 2018
AppleNot Affected21 Aug 201827 Aug 2018
CoreOSNot Affected21 Aug 201821 Aug 2018
Arch LinuxUnknown21 Aug 201821 Aug 2018
Arista Networks, Inc.Unknown21 Aug 201821 Aug 2018
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.8 E:F/RL:W/RC:C
Environmental 6.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



This vulnerability was publicly disclosed by Tavis Ormandy.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2018-16509
  • Date Public: 21 Feb 2018
  • Date First Published: 21 Aug 2018
  • Date Last Updated: 06 Sep 2018
  • Document Revision: 54


If you have feedback, comments, or additional information about this vulnerability, please send us email.