CVE-2024-33871
Description
In Artifex Ghostscript before 10.03.1, the opvp/oprp device Driver parameter allows loading an arbitrary dynamic library, enabling code execution via a crafted PostScript document.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Artifex Ghostscript before 10.03.1, the opvp/oprp device Driver parameter allows loading an arbitrary dynamic library, enabling code execution via a crafted PostScript document.
Vulnerability
The vulnerability resides in contrib/opvp/gdevopvp.c in Artifex Ghostscript versions before 10.03.1. The Driver parameter for the opvp (and oprp) devices accepts an arbitrary library name, which Ghostscript then attempts to load via dlopen(). This allows an attacker to specify any shared library on the filesystem as the driver. The code path is reachable when processing a PostScript document that opens the opvp or oprp device with a user-controlled -dDriver= parameter.
Exploitation
An attacker needs the ability to supply a crafted PostScript document to a target running a vulnerable version of Ghostscript. No authentication is required if the document is processed by a service (e.g., a document converter or print spooler). The attacker must know the filesystem path to a malicious shared library (or to an existing system library with exploitable side effects). The concrete sequence involves crafting a PostScript file that invokes the opvp device with a -dDriver=/path/to/malicious.so parameter; upon device initialization, Ghostscript loads and executes code from the specified library.
Impact
Successful exploitation results in arbitrary code execution with the privileges of the Ghostscript process. This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or lateral movement within a network. The CVSS v3.1 base score is 8.8 (High) per Red Hat [1].
Mitigation
The fix was released in Ghostscript version 10.03.1 on 2024-05-02 [1]. Upgrading to this version or later is the recommended mitigation. Users unable to upgrade should ensure that untrusted PostScript documents are not processed by vulnerable versions and consider disallowing use of the opvp/oprp devices if not needed. No workaround is provided by the vendor. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of July 2024.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39(expand)+ 1 more
- (no CPE)
- (no CPE)range: <10.03.1
- osv-coords37 versionspkg:apk/chainguard/ghostscriptpkg:apk/chainguard/ghostscript-dbgpkg:apk/chainguard/ghostscript-devpkg:apk/chainguard/ghostscript-docpkg:apk/wolfi/ghostscriptpkg:apk/wolfi/ghostscript-dbgpkg:apk/wolfi/ghostscript-devpkg:apk/wolfi/ghostscript-docpkg:rpm/almalinux/ghostscriptpkg:rpm/almalinux/ghostscript-docpkg:rpm/almalinux/ghostscript-tools-dvipdfpkg:rpm/almalinux/ghostscript-tools-fontspkg:rpm/almalinux/ghostscript-tools-printingpkg:rpm/almalinux/ghostscript-x11pkg:rpm/almalinux/libgspkg:rpm/almalinux/libgs-develpkg:rpm/opensuse/ghostscript&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/ghostscript&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/ghostscript&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ghostscript&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ghostscript&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/ghostscript&distro=SUSE%20Manager%20Server%204.3
< 10.03.1-r0+ 36 more
- (no CPE)range: < 10.03.1-r0
- (no CPE)range: < 10.03.1-r0
- (no CPE)range: < 10.03.1-r0
- (no CPE)range: < 10.03.1-r0
- (no CPE)range: < 10.03.1-r0
- (no CPE)range: < 10.03.1-r0
- (no CPE)range: < 10.03.1-r0
- (no CPE)range: < 10.03.1-r0
- (no CPE)range: < 9.54.0-16.el9_4
- (no CPE)range: < 9.54.0-16.el9_4
- (no CPE)range: < 9.54.0-16.el9_4
- (no CPE)range: < 9.54.0-16.el9_4
- (no CPE)range: < 9.54.0-16.el9_4
- (no CPE)range: < 9.54.0-16.el9_4
- (no CPE)range: < 9.54.0-16.el9_4
- (no CPE)range: < 9.54.0-16.el9_4
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 10.03.1-1.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-23.77.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-23.77.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-23.77.1
- (no CPE)range: < 9.52-150000.191.1
- (no CPE)range: < 9.52-150000.191.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the Driver parameter allows loading an arbitrary dynamic library."
Attack vector
An attacker crafts a malicious PostScript document that sets the "Driver" parameter for the opvp or oprp device to an arbitrary dynamic library name. When Ghostscript processes this document, it loads the specified library, which can be any shared object on the system. If the attacker can place a malicious library at a known path (or use an existing library with exploitable side effects), the library is loaded and executed with the privileges of the Ghostscript process [ref_id=1].
Affected code
The vulnerability resides in `contrib/opvp/gdevopvp.c`, specifically in the `_put_params` function that handles the "Driver" parameter for the opvp and oprp devices. The code accepts an arbitrary library name without validating that it is a permitted driver library [ref_id=1].
What the fix does
The patch adds a check in `_put_params` that, when path control is active, verifies the new Driver string matches the currently loaded driver. If the string differs, the function returns `gs_error_invalidaccess` and rejects the parameter change. This prevents an attacker from switching the driver library to an arbitrary path after initialization, closing the code execution vector [ref_id=1].
Preconditions
- inputThe attacker must supply a crafted PostScript document that sets the Driver parameter for the opvp or oprp device.
- configThe Ghostscript process must have the opvp/oprp device support compiled in.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.