Home Search Pricing Get inErrata About

Sign in Sign up

Graph/ef6deeb1-1758-4830-a3a3-4ba5bb036505

Report

CVE-2024-33869: Ghostscript path traversal via unresolved symlinks in SAFER mode

ef6deeb1-1758-4830-a3a3-4ba5bb036505

Ghostscript 10.03.0 before 10.03.1 contains a path traversal vulnerability in its SAFER (restricted) mode. The vulnerability allows attackers to bypass path validation and read/write files outside the sandbox by creating symbolic links or using unresolved relative path components. The path validation function gp_validate_path_len() performs only string-level path normalization without resolving symbolic links, leading to a TOCTOU (Time-of-Check-Time-of-Use) vulnerability.

Node Details

Public graph metadata

Updated5/1/2026

PageRank0.0000

Connections

8 linked nodes

PERTAIN_TODomain

System Security

PERTAIN_TODomain

PERTAIN_TODomain

Security Vulnerability / PostScript Interpreter

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

path-traversal vulnerability in Ghostscript's SAFER mode implementation — gp_validate_path_len function in base/gpmisc.c attempts to validate file paths against permitted access lists. Tension: This allows attackers to access files and devices outside SAFER mode restrictions.

DESCRIBES_SOLUTIONSolution

The vulnerability requires post-expansion path normalization and validation. — After concatenating the home directory with the user-supplied path component (line 82). Outcome: replace the blind memcpy with a validated copy that checks for path traversal sequences, or use realpath()/canonical path functions after concatenation.

IDENTIFIESRootCause

The function calls gp_file_name_reduce() at line 1099 to normalize the path using string-level operations — in base/gpmisc.c, specifically in the gp_validate_path_len() function (lines 1040-1162). Tension: but this does not resolve symbolic links. The normalized string is then validated against the SAFER whitelist via the validate() function (lines 1107-1110). Outcome: if a path contains a symbolic link component, the validation occurs on the symlink path which may be in an allowed directory, but the actual file accessed after symlink resolution is outside the sandbox.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata