Bug 708446

Summary: Created PDF embeds the entire command-line invocation, including the plaintext password.
Product: Ghostscript Reporter: Vasileios Flengas <v.flengas>
Component: Security (public)Assignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal CC: carnil, dr, jsmeix, ken.sharp, marc.deslauriers, robin.watts, sam, till.kamppeter, zdohnal
Priority: P2    
Version: 10.05.0   
Hardware: PC   
OS: All   
Customer: Word Size: ---
Attachments: The archive includes both the images described and the pdf generated.

Description Vasileios Flengas 2025-04-11 17:47:24 UTC 
Created attachment 26662 [details]
The archive includes both the images described and the pdf generated.

Hello team,

When generating a password-protected PDF using the latest version of the tool on Windows 10, I noticed that the full command-line input, including the plaintext password, is embedded at the beginning of the generated PDF file.
This allows anyone with access to the PDF to retrieve the password simply by running a command like "type" (Windows) or "cat" (Linux/macOS) on the file.

Steps to Reproduce:
1. Download and install the latest version of the tool from GitHub:
https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10050/gs10050w64.exe

2. On a Windows 10 machine I run the folowing command in cmd to create a protected pdf file.
"gswin64.exe -dDisplayFormat=198788 -dDisplayResolution=96 -dCompatibilityLevel#1.4 -sUserPassword#123456789 -sOwnerPassword#123456789 -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE#pdfwrite -sOutputFile#C:\Users\Admin\Downloads\test.pdf" (Image1.png).

3. The test.pdf file was successfully created. Inspecting the file using "type test.pdf", revealed the full command used to generate the PDF including the password (Image2.png).

Expected Behavior:
The PDF should not contain sensitive information such as the password used during encryption.

Actual Behavior:
The output PDF embeds the entire command-line invocation including the plaintext password at the beginning of the file.

Enviroment Details:
Tool Version: 10.05.0
Operating System: Windows 10 Pro Version 22H2 (OS Build 19045.5737)
Architecture: x64

This issue may qualify for a CVE, as it involves unintended disclosure of sensitive information (the password used for PDF encryption) within the resulting file. Please consider assigning a CVE ID.

Kind Regards,
Vasileios Flengas
Comment 1 Ken Sharp 2025-04-11 18:24:36 UTC 
<sigh> It's caused by using '#' instead of '=', which is defeating the parameter scanning. I'll look at it on Monday.
Comment 2 Ken Sharp 2025-04-15 12:12:18 UTC 
I've fixed this, but the commit isn't public. These days we keep security commits in a private repository until they are released because, being open source, as soon as we push them to our regular repository they are, in effect, public.

Hence the 'in progress' status, it'll remain there until we do a release with the code included.
Comment 3 Ken Sharp 2025-04-17 09:00:16 UTC 
I've chatted with my colleague who normally raises CVEs and, given that MITRE have announced funding for the next year, we're going to go ahead and request a CVE.

Our most recent request keeps being rebuffed so we'll just have to see what happens with another new one.
Comment 4 Chris Liddell (chrisl) 2025-05-23 08:05:07 UTC 
CVE-2025-48708