FERRAMENTAS LINUX: Critical Ghostscript Vulnerability in Ubuntu: USN-7904-1 Analysis and Security Guide

quarta-feira, 3 de dezembro de 2025

Critical Ghostscript Vulnerability in Ubuntu: USN-7904-1 Analysis and Security Guide

 




Critical Ghostscript vulnerability USN-7904-1 affects Ubuntu 20.04/18.04/16.04 LTS, causing Denial of Service. Learn patched package versions & security hardening steps. Patch now.


A newly disclosed security vulnerability in the Ghostscript package poses a significant denial-of-service (DoS) risk to systems running older, long-term support (LTS) releases of Ubuntu, including Ubuntu 20.04 LTS, 18.04 LTS, and 16.04 LTS. Identified as USN-7904-1 and cataloged under CVE-2025-59798 and CVE-2025-59799, this flaw was discovered by security researcher Piotr Kajda

It stems from Ghostscript's incorrect handling of specific file-writing operations, which an attacker could exploit to cause the interpreter to crash. Given Ghostscript's integral role as a PostScript and PDF interpreter in countless document processing workflows, this vulnerability threatens system stability and availability in both enterprise and development environments.

This comprehensive guide provides system administrators and DevOps professionals with an actionable analysis of USN-7904-1. 

Beyond immediate patching instructions, we will explore Ghostscript's critical function in the Linux ecosystem, contextualize this vulnerability within a broader pattern of Ghostscript security issues, and provide strategic recommendations for hardening your document processing security posture. 

Proactive mitigation is not merely a maintenance task—it is a crucial defense against potential service disruption and a necessary step in maintaining robust Linux server integrity.

Understanding the Vulnerability: USN-7904-1 Technical Details

The core of USN-7904-1 is a logic flaw within Ghostscript's file handling routines. When Ghostscript attempts to write certain specially crafted files, it fails to process them correctly, leading to an unexpected crash. T

his constitutes a classic denial-of-service vulnerability, as it allows a remote or local attacker to disrupt document processing services that depend on Ghostscript.

Ghostscript is far more than a standalone tool; it is a core rendering engine embedded in many applications for viewing and converting PostScript and PDF files

This widespread integration amplifies the vulnerability's impact. A DoS attack could cripple print servers, disrupt web applications that generate PDFs on-the-fly, halt document conversion pipelines, and cause failures in visualization tools.

  • Affected Ubuntu Releases: Ubuntu 20.04 LTS (Focal Fossa), 18.04 LTS (Bionic Beaver), 16.04 LTS (Xenial Xerus).

  • CVE Identifiers: CVE-2025-59798, CVE-2025-59799.

  • Vulnerability Type: Denial of Service (DoS) due to improper file handling.

  • Discoverer: Piotr Kajda.

Immediate Mitigation: Patch and Update Instructions

The corrective action for this vulnerability is straightforward: update the affected ghostscript and libgs packages to the patched versions. Canonical has released fixed packages that are available via the standard security repositories and, for extended support, through Ubuntu Pro.

Featured Snippet Answer: To fix the Ghostscript DoS vulnerability (USN-7904-1) on Ubuntu, run sudo apt update && sudo apt upgrade ghostscript and reboot any services that depend on it. Ensure your system is updated to the specific patched package versions listed in the security advisory.

The following table details the exact patched package versions for each affected Ubuntu LTS release.

Patched Package Versions for USN-7904-1




Update Procedure:

  1. Update Package Lists: Open a terminal and run sudo apt update.

  2. Upgrade Ghostscript: Execute sudo apt upgrade ghostscript libgs9. The APT tool will automatically identify and install the correct version for your release.

  3. Verify Installation: Confirm the patch is applied with dpkg -l | grep ghostscript and cross-reference the version number with the table above.

  4. Restart Services: Reboot your system or restart any critical services and applications (e.g., printing services, web servers, document management systems) that may have loaded the vulnerable Ghostscript libraries into memory.

For systems registered with Ubuntu Pro, these patches are covered under the extended security maintenance (ESM) program, which provides ongoing vulnerability fixes for packages in the main and universe repositories long after the standard support period ends.

Ghostscript's Role and the Pattern of Vulnerabilities

To fully appreciate the risk, one must understand Ghostscript's function. It is a powerful, open-source interpreter for the PostScript page description language and Adobe PDF files. Its uses are vast:

  • Rendering and Conversion: Converting PostScript/EPS/PDF files to raster images (PNG, JPEG, TIFF) or other vector formats.

  • Printing: Serving as a backend rasterizer for print servers and CUPS (Common Unix Printing System).

  • Document Processing: Embedded within applications like LibreOffice, GIMP, and numerous web server scripts for on-demand PDF generation or manipulation.

This deep integration into system functionality makes it a high-value target. Is USN-7904-1 an isolated incident? Historical data suggests otherwise. Ghostscript has a history of security flaws requiring prompt attention, indicating that it is a complex piece of software subject to ongoing security scrutiny.

  • USN-7378-1 (March 2025): Addressed critical vulnerabilities (CVE-2025-27830 to CVE-2025-27836) where flaws in handling fonts, devices, and file parsing could lead to denial of service or arbitrary code execution.

  • USN-6897-1 (July 2024): Patched high-severity issues (CVE-2024-29506 to CVE-2024-29511) involving PDF filter names, passwords, and OCR file paths, some of which could also result in arbitrary code execution.

  • USN-5643-1 (Sept 2022): Resolved flaws including a heap-based buffer overflow (CVE-2020-27792) and a NULL pointer dereference (CVE-2022-2085), which were actively exploitable at the time.

This pattern underscores a critical takeaway: managing Ghostscript security is not a one-time task but an ongoing component of system hardening. The transition from simple DoS flaws (like USN-7904-1) to vulnerabilities enabling arbitrary code execution (RCE) in other advisories marks a significant escalation in potential severity.

Proactive Security Hardening Beyond Patching

While applying the USN-7904-1 patch is the mandatory first step, truly robust security requires a layered approach. Here are advanced strategies for system administrators:

  1. Implement the Principle of Least Privilege: Never run applications that use Ghostscript with unnecessary root privileges. Where possible, containerize document processing services (e.g., using Docker or Kubernetes) to isolate them from the host system. This limits the blast radius of any potential future vulnerability that escalates beyond a DoS.

  2. Leverage Ghostscript's Sandboxing Flags: When invoking Ghostscript directly via command line for conversions, always use the -dSAFER flag. This option activates a restricted mode that disables dangerous file system and operator commands, effectively sandboxing the interpreter. For example:

    bash
    gs -dSAFER -dBATCH -dNOPAUSE -sDEVICE=png16m -sOutputFile=output.png input.pdf

  3. Conduct Dependency Audits: Use tools like apt-show-versions or dpkg -l to regularly audit all installed packages, not just Ghostscript. Identify other packages that depend on Ghostscript (apt-cache rdepends ghostscript) to assess your full exposure.

  4. Develop a Formal Patch Management Policy: Given Ghostscript's vulnerability history, establish a policy to monitor Ubuntu Security Notices (USNs) regularly. Subscribe to the Ubuntu security announcements mailing list for immediate alerts.

  5. Evaluate Ubuntu Pro for Extended Coverage: For legacy systems running 16.04 or 18.04 LTS beyond their standard support, Ubuntu Pro provides a vital lifeline of security patches for thousands of packages, including Ghostscript, for up to ten years. This is often a more secure and cost-effective solution than attempting to maintain out-of-support systems.

FAQs on Ghostscript and Ubuntu Security

Q What is Ghostscript used for on Ubuntu servers?

A: Ghostscript is primarily used as a backend interpreter for processing PostScript and PDF files. It enables critical functions like file format conversion (e.g., PDF to image), document rendering for web applications, and serving as the raster image processor (RIP) for printing systems like CUPS.

Q: Is the USN-7904-1 vulnerability being actively exploited?

A: As of the publication date of the advisory (December 2025), there are no public reports of active exploitation for CVE-2025-59798 or CVE-2025-59799. However, the lack of active exploits should not delay patching, as vulnerabilities become easier to weaponize once details are public.

Q: My application uses Ghostscript as a library. Is it vulnerable?

A: Yes. If your application links against the libgs library or shells out to the gs command, it is vulnerable to this DoS condition. You must update the system-level Ghostscript packages and restart your application to load the patched libraries.

A: Are newer Ubuntu releases like 22.04 LTS or 24.04 LTS affected by USN-7904-1?

A: No, according to the advisory, USN-7904-1 specifically affects Ubuntu 20.04, 18.04, and 16.04 LTS. However, newer releases have been subject to their own critical Ghostscript vulnerabilities, such as those detailed in USN-7378-1. All users should ensure their systems are fully updated.

Q: What's the difference between a Denial-of-Service (DoS) and an Arbitrary Code Execution (RCE) vulnerability?

A: A DoS vulnerability, like this one, allows an attacker to crash an application, making it unavailable. An RCE vulnerability is far more severe, as it allows an attacker to run their own code on your system, potentially leading to complete compromise. Past Ghostscript patches have addressed both types.

Conclusion and Strategic Recommendations

The Ghostscript vulnerability outlined in USN-7904-1 serves as a critical reminder of the persistent need for diligent open-source security management. For administrators of affected Ubuntu LTS systems, the path forward is clear: immediate patching is non-negotiable. However, the broader lesson extends beyond this single CVE entry.

Treat Ghostscript as a high-exposure component within your infrastructure. Its complexity and essential role make it a recurring subject of security advisories. Therefore, adopt a strategic posture that combines timely patch application with proactive security hardening—employing sandboxing, privilege reduction, and continuous monitoring.

For organizations reliant on long-term stable environments, investing in Ubuntu Pro for extended security maintenance is a prudent strategy that ensures ongoing protection for foundational packages like Ghostscript. By taking these comprehensive steps, you secure not just a single interpreter, but the stability and reliability of the countless document-driven processes that keep your business operating.


Cezar Henrique at
Marcadores: Linux, Android, Segurança

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)