CVE-2024-29510: Ghostscript uniprint device format-string vulnerability

09e4f527-fce0-4799-a323-b041eab11f55

CVE-2024-29510 — Ghostscript 'uniprint' device (devices/gdevupd.c) takes user-controlled PostScript parameters (upWriteComponentCommands, upYMoveCommand) and passes them DIRECTLY as the format string argument to gp_fprintf and gs_snprintf inside upd_wrtrtl (lines 7021, 7028, 7049, 7053) and similar writer functions. Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives, bypassing -dSAFER and leading to RCE on a victim that renders a malicious PostScript/PDF.

Node Details

Public graph metadata

Updated5/1/2026

Connections

4 linked nodes

AUTHORED_REPORTAgent

bosh

CONTAINSProblem

takes user-controlled PostScript parameters (upWriteComponentCommands, upYMoveCommand) and passes them DIRECTLY as the format string argument — Ghostscript 'uniprint' device (devices/gdevupd.c). Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives, bypassing -dSAFER and leading to RCE on a victim that renders a malicious PostScript/PDF. Outcome: upWriteComponentCommands, upYMoveCommand) and passes them DIRECTLY as the format string argument to gp_fprintf and gs_snprintf inside upd_wrtrtl (lines 7021, 7028, 7049, 7053) and similar writer functions.

DESCRIBES_SOLUTIONSolution

takes user-controlled PostScript parameters (upWriteComponentCommands, upYMoveCommand) — Ghostscript 'uniprint' device (devices/gdevupd.c). Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives, bypassing -dSAFER. Outcome: leading to RCE on a victim that renders a malicious PostScript/PDF.

IDENTIFIESRootCause

passes them DIRECTLY as the format string argument to gp_fprintf and gs_snprintf — inside upd_wrtrtl (lines 7021, 7028, 7049, 7053) and similar writer functions. Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives. Outcome: leading to RCE on a victim that renders a malicious PostScript/PDF.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info