Ghostscript Concerns

1 Overview

Safran Software Solutions has identified security vulnerabilities associated with Ghostscript, a third-party software previously used in our PDF generation processes. As a proactive measure, we are removing all dependencies on this software.

From the next version (Version 25.1.00), Ghostscript will no longer be included or distributed with Safran software. Within our development stage, Ghostscript has already been removed and replaced with an alternative that passes commonly used security tests.

The previously used CutePDF tool has also been removed from all Safran installations. This tool was used when users selected the "Save to File" option or sent emails with PDF attachments generated by the software.

From now on, Safran will rely on the Microsoft PDF Printer Driver, which is built into Windows, for all PDF generation tasks.

1.1 What is the impact of the vulnerabilities for users of Safran software products?

We have evaluated the impact of these isses in Safran software. The risk of using the software is minimal. Our usage of the Ghostscript is very limited and done through the use of an API to reduce the risks and keep in control. However, we do understand that our customers are concerned. Based on that we have done some changes described in chapter 1.2 "Changes in Version 25.1.00 and Beyond" and also some workaround that can be implemented in the current product line to mitigate the risk, that is described in chapter 2 "Recommended actions for Users and Administrators to mitigate risk".

1.1.1 Detailed investigation of Ghostscript in Safran software products

Our code is using the following API calls:

gsapi_new_instance_imp
gsapi_init_with_args_imp
gsapi_exit_imp
gsapi_delete_instance_imp

These functions themselves are not inherently insecure; there are some known security and stability considerations when using them:

Thread Safety
1. Ghostscript is not thread-safe by default. Only one instance per process is supported on some platforms.
2. Concurrent access (e.g., from multiple web requests) can lead to crashes or undefined behavior unless properly synchronized.
  
  Impact in Safran:
  Our programming language operates in a single-threaded environment, so the threading concerns mentioned are not applicable to us. The user interface is blocked during Ghostscript operations, ensuring no concurrent access occurs.
Input Validation
1. If you're passing user-supplied arguments to gsapi_init_with_args_imp, ensure they are sanitized. Malicious input could exploit vulnerabilities in Ghostscript's interpreter.
  
  Impact in Safran:
  
  Our application controls all arguments passed to Ghostscript. The only user-supplied input is the filename, which would require intentional malicious manipulation to pose a risk.
Input File Trust
1. Ghostscript has had critical vulnerabilities in the past (e.g., CVEs related to PostScript file execution).
2. When processing untrusted files, it is strongly recommended that Ghostscript be run in a controlled environment.
  
  Impact in Safran:
  
  We exclusively generate our own PostScript (PS) files using the Safran PS Writer. No external or untrusted PS files are processed, eliminating the risk of executing potentially harmful content.
Resource Management
1. Always pair gsapi_new_instance_imp with gsapi_delete_instance_imp, and gsapi_init_with_args_imp with gsapi_exit_imp.
2. Failing to do so can lead to memory leaks or resource exhaustion.
  
  Impact in Safran:
  
  We consistently pair gsapi_new_instance with gsapi_delete_instance, ensuring proper resource cleanup. Memory management issues are considered implementation concerns rather than security vulnerabilities.
DLL Locking Issues
1. On Windows, multiple simultaneous calls to the DLL (e.g., from different browser sessions) can cause locking issues or errors like -100 on gsapi_new_instance 2.
2. A workaround is to serialize access to the DLL or use separate processes.
  
  Impact in Safran:
  
  DLL locking is a known behavior on Windows and is not specific to Ghostscript. The only scenario that might resemble this issue is when Safran is installed centrally and accessed by multiple users. However, Windows effectively isolates processes, mitigating any related risks.

1.2 Changes in Version 25.1.00 and Beyond

In version 25.1.00, the Safran codebase has been updated to remove references to Ghostscript and CutePDF completely. The software now utilizes the Microsoft PDF Printer Driver, eliminating the associated security concerns.

This change ensures:

Continued support for existing features such as Save to PDF and email with PDF attachments.
Automatic benefit from any future updates or improvements made by Microsoft to their PDF driver.

2 Recommended Actions for Users and Administrators to mitigate risk

Until version 25.1.00 is deployed, we recommend the following actions to mitigate risk:

2.1 Disable or Remove Legacy Components

Delete the folder named GS from the Safran installation directory.
Uninstall the printer driver named Safran PSWriter.

2.2 Usage Guidelines

Avoid using the "Save to File" and email PDF features in the current software versions.
Use only trusted PDF printer drivers, such as the Microsoft PDF Printer Driver or others approved by your organization.

These steps will help prevent the use of unsecure PDF generation methods.

2.3 Manual Removal Instructions

2.3.1 Remove Ghostscript Files

Locate the Safran software icon on your desktop or in the Start menu.
Right-click the icon and select "Open file location".
In the File Explorer window, look for a folder named "project\gs" or simply "gs".

The file directory shows the Ghostscript gs folder in Windows Explorer.

Delete the GS folder and its contents.

The consequence of removing the GS folder is that you would get an error message when you are in print preview of any report and choose Save To File or Mail Report. The error message tells you that it cannot find the file named gsdll64.dll

2.3.2 Uninstall Safran PSWriter

Click the Start button and search for "Printers & scanners".
Open the Printers & scanners settings.
Locate the printer named Safran PSWriter.

List of printers and scanners with Safran PSWriter highlighted for selection.

Click on it and select Remove.

Printer settings for Safran PSWriter, including options to remove and manage printing tasks.

3 Alternative PDF Drivers

You can continue to generate PDF files by printing to the Microsoft Print to PDF driver, which is included with Windows 11 and 10.

To ensure it is installed:

Open the Start menu and search for "Windows Features".
Select "Turn Windows features on or off".
Ensure "Microsoft Print to PDF" is checked.

Windows features menu showing Microsoft Print to PDF option selected for installation.

If it is already checked but not functioning, uncheck it, apply changes, restart your computer, and re-enable it.

3.1 How to print to PDF using the Microsoft Print to PDF printer

When a report is open, click the print icon and from the list of printers, choose the printer named Microsoft Print to PDF from the list of available printers before clicking Print.

Printer selection interface showing options and a message about print preview support.

4 Known Security Vulnerabilities in Ghostscript

Several vulnerabilities have been identified in Ghostscript, including:

CVE-2021-3781: Sandbox escape flaw allowing arbitrary command execution.
CVE-2023-28879: Buffer overflow in PostScript interpreter.
CVE-2023-36664: Improper permission validation for pipe devices.
CVE-2021-45944: Use-after-free vulnerability.
CVE-2021-45949: Heap-based buffer overflow.

A full and updated list of vulnerabilities for Ghostscript can be found at:
🔗 https://vulmon.com/searchpage?q=ghostscript&sortby=byriskscore

5 Final Note

These changes only affect PDF generation functionality. All other features and user experiences remain unaffected. Our support team is available to assist with any part of this transition.