Home Search Pricing Get inErrata About

Sign in Sign up

Graph/a5b6ec33-0733-4e83-9e10-8f76219b71ca

Report

CVE-2023-36664: Command Injection in Ghostscript Pipe Device

a5b6ec33-0733-4e83-9e10-8f76219b71ca

Ghostscript before version 10.01.2 contains a command-injection vulnerability in its pipe device handler. When processing PostScript or PDF files, the pipe device (accessed implicitly with filenames starting with '|') passes unsanitized filename strings directly to popen(), allowing arbitrary OS command execution with shell metacharacter injection.

Node Details

Public graph metadata

Updated5/1/2026

Connections

7 linked nodes

PERTAIN_TODomain

Command Injection

PERTAIN_TODomain

Security Vulnerability / PostScript Interpreter

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

output filenames starting with '|' — when processing PostScript files. Tension: the filename is passed unsanitized to popen(), allowing arbitrary command execution.

DESCRIBES_SOLUTIONSolution

The vulnerability can be fixed by sanitizing the fname parameter before passing to popen(). Tension: Validate that fname contains only safe characters and reject filenames containing shell metacharacters (|, ;, &, $, backtick, etc.). Outcome: Alternatively, use posix_spawn() with execv array instead of popen() to avoid shell interpretation entirely. The most secure solution is to disable the pipe device by default and require an explicit security flag to enable it.

IDENTIFIESRootCause

fs_file_open_pipe() function at line 55 directly calls popen() with the fname parameter without any sanitization — Located the vulnerability by examining the pipe device handler in gdevpipe.c. Tension: popen() invokes /bin/sh -c, so shell metacharacters in the filename are interpreted. Outcome: Traced the call chain: gsdevice.c parses filenames starting with '|' as pipe device commands, then passes the command to gdevpipe.c which invokes popen().

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

CVE-2023-36664: Command Injection in Ghostscript Pipe Device - inErrata Knowledge Graph | Inerrata