CVE-2024-29510 Overview
CVE-2024-29510 is a format string vulnerability in Artifex Ghostscript versions before 10.03.1. The flaw resides in the uniprint device handler, where attacker-controlled input reaches a format string function without sanitization. Exploitation enables memory corruption and bypass of the -dSAFER sandbox, which Ghostscript relies on to restrict dangerous operations during PostScript processing. Because Ghostscript is widely embedded in document processing pipelines such as ImageMagick, LibreOffice, and various print servers, this issue affects any workflow that converts untrusted PostScript or EPS files. The vulnerability is tracked under CWE-693: Protection Mechanism Failure.
Critical Impact
Attackers who supply a crafted PostScript document can escape the SAFER sandbox and execute arbitrary code in the context of the Ghostscript process.
Affected Products
- Artifex Ghostscript versions prior to 10.03.1
- Applications embedding vulnerable Ghostscript builds (for example, ImageMagick, LibreOffice, CUPS print filters)
- Linux and Unix server environments running document conversion workflows
Discovery Timeline
- 2024-07-03 - CVE-2024-29510 published to NVD
- 2024-07-03 - Public disclosure on the Openwall OSS-Security mailing list and technical write-up published by Codean Labs
- 2025-04-28 - Last updated in NVD database
Technical Details for CVE-2024-29510
Vulnerability Analysis
The vulnerability is a classic format string injection [CWE-134] reachable through the uniprint output device. Ghostscript exposes device parameters that can be configured from within a PostScript program. When the uniprint device processes specific string parameters, attacker-supplied content is passed directly into a printf-style function as the format argument. This allows the attacker to read process memory using %s and %x conversions and to write memory using the %n conversion specifier. With arbitrary read and write primitives inside the Ghostscript interpreter, an attacker can corrupt internal state that enforces the SAFER sandbox. Once the sandbox state is cleared, restricted operators that allow file system access and shell command execution become available, leading to local code execution under the identity of the rendering process.
Root Cause
The root cause is improper handling of user-controlled string parameters supplied to the uniprint device. The device implementation forwards these strings into a formatted output routine without using a fixed %s format string, violating the standard mitigation for format string flaws. The protection mechanism failure classification (CWE-693) reflects that the issue also defeats the -dSAFER sandbox that users explicitly enable to render untrusted input safely.
Attack Vector
Exploitation requires that a victim or automated service process an attacker-crafted PostScript, EPS, or PDF document with Ghostscript. The malicious file selects the uniprint device and sets a device parameter containing format specifiers. Many web and enterprise environments feed user-uploaded documents into Ghostscript-based conversion pipelines, which makes the local attack vector reachable from remote upload endpoints in practice. The published research from Codean Labs demonstrates end-to-end command execution despite -dSAFER being enabled.
No verified proof-of-concept code is reproduced here. Refer to the Codean Labs technical analysis and Ghostscript Bug Report #707662 for the exploitation primitives and vendor fix details.
Detection Methods for CVE-2024-29510
Indicators of Compromise
- PostScript or EPS files containing references to the uniprint device combined with format specifiers such as %s, %x, or %n in device parameter strings
- Ghostscript processes (gs, gsc) spawning unexpected child processes such as /bin/sh, bash, curl, or wget
- Outbound network connections from document conversion services that historically did not require network egress
- New or modified files written by the Ghostscript user account outside expected temporary directories
Detection Strategies
- Inventory installed Ghostscript versions across servers and developer workstations and flag any build older than 10.03.1
- Inspect document conversion pipelines (ImageMagick, LibreOffice, print servers) for bundled Ghostscript binaries that may lag behind system packages
- Apply static scanning to inbound PostScript and EPS uploads for use of the uniprint device selector
- Correlate process telemetry to identify Ghostscript spawning interactive shells or networking utilities
Monitoring Recommendations
- Enable command-line auditing on Linux hosts using auditd or eBPF-based sensors to capture Ghostscript invocations and arguments
- Forward process, file, and network telemetry from servers running document workflows into a central analytics platform for retrospective hunting
- Alert on Ghostscript child processes that are not part of the documented rendering chain
- Monitor file integrity on directories writable by the rendering service account
How to Mitigate CVE-2024-29510
Immediate Actions Required
- Upgrade Artifex Ghostscript to version 10.03.1 or later on every host where it is installed
- Update downstream applications that bundle their own Ghostscript copies, including container images used in CI and document processing
- Audit upload-handling services that pass untrusted files to Ghostscript and quarantine PostScript inputs until patching completes
- Restrict the rendering service account to least privilege and isolate it from sensitive data stores
Patch Information
Artifex addressed the vulnerability in Ghostscript 10.03.1. The fix is tracked in Ghostscript Bug Report #707662. Linux distributions including Debian, Ubuntu, Red Hat, and SUSE have published backported package updates; apply vendor advisories appropriate to your distribution. Additional context is available in the Vicarius advisory.
Workarounds
- Remove or disable the uniprint device from Ghostscript builds where it is not required
- Run Ghostscript inside a hardened sandbox such as seccomp, bubblewrap, or a dedicated container with no network egress and a read-only file system
- Reject inbound PostScript and EPS files at the application boundary when business requirements allow conversion only from PDF or raster formats
- Enforce -dSAFER along with explicit -dNOOUTERSAVE and device whitelisting, recognizing these flags alone do not remediate the underlying flaw
# Verify the installed Ghostscript version
gs --version
# Example: pin Ghostscript to a patched version on Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade ghostscript
# Example: restrict allowed devices when invoking Ghostscript
gs -dSAFER -dNOOUTERSAVE -sDEVICE=pdfwrite -o output.pdf input.ps
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
