Forum moved here!

Home / Does Ghostscript vulnerability affect SumatraPDF?

dorliko

I believe not by default since SumatraPDF uses MuPDF and Ghostscript has be installed manually, right?

Unpatched Ghostscript Flaws Allow Remote Takeover of Systems

GitHubRulesOK

Later update these vulnerabilities were all closed in Ghostscript version 9.24
Always consider using the latest (currently 9.5+) when integrating GS viewing [E]PS within SumatraPDF

The reports currently only identify Unix exploits and as at 21st Aug Windows effect is “unknown” that could easily change so for latest watch see https://www.kb.cert.org/vuls/id/CHEU-B3UKMZ
it mailnly affects libgs or products based upon it such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others
If you are NOT using GS or it is uninstalled this should not affect SumatraPDF
It is possible to secure SumatraPDF agains filetyps such as PS and XPS etc. but it would not make sense to block PDF :slight_smile: in which they may be embedded

the bottom line always is that ANY program can be affected by malicious files from unknown sources or they can be distributed by “friends” as if from a trusted source

dorliko

Thanks for your reply, GitHubRulesOK. I’ll keep an eye on it. The main reason I posted my concern, it is because Ghostscript is from the same company that created MuPDF (i.e. Artifex) and maybe they share code regarding PDF handling. I know SumatraPDF is pretty safe compared to other viewers than run scripts / code in some form, but as of now, last version is 2 years old so that’s another thing to keep in mind.

GitHubRulesOK

SumatraPDF can view PostScript (PS) Adobe Ilustrator (AI) and Encapsulated PS (EPS) with any registered installed copy of GS for windows, also note xps is handled internally but could be passed to any xps viewer

The problem is thus NOT strictly MuPDF file handling (though only time will tell if changes get ported from GS)

It is more the fact that GS on Unix file handling can be compromised so MAY or MAY NOT affect those “SumatraPDF on Wine” users that have GS installed since PDF is more likely on Unix to be associated with GhostScript

and if you clicked on the link above it proves the point “you trusted me” WHY? :raised_hand_with_fingers_splayed: :thinking: