Security release 2023.7.3 of pretix

Today, we are disclosing a security issue affecting pretix. We therefore just released versions 2023.7.3, 2023.6.3, and 4.20.4 of pretix that fix this problem. It is strongly recommended that you update your installation as soon as possible.

If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

#1: Insecure validation of image files [CRITICAL]

CVE ID: CVE-2023-44464

When uploading pictures, pretix validates that the file name has an allowed extension (e.g. ".png") and that the file contains valid image data. Unfortunately, so far, we have not validated that the image data actually matches the image formats we allow. This made it possible for an attacker to rename an EPS file to ".png" and upload it successfully.

The library we use for processing image files offloads the parsing of EPS files to the external program Ghostscript. Ghostscript is known to occasionally have critical security vulnerabilities, mostly due to the support of legacy features they accumulated over their 35-year history. We've been aware of previous issues with Ghostscript this year and have applied patches as soon as they were available, but we have now been alerted of a Ghostscript issue that does not yet have a patch released and also leads to remote code execution.

Images can be uploaded with almost every level of backend access, as well as whenever an event allows file upload from customers through the "Questions" feature.

Severity rating: The critical issue causing remote code execution is not an issue within pretix, but within Ghostscript, a separately installed program in your operating system. However, pretix allowing Ghostscript to be called on user-uploaded images makes this issue remotely exploitable, so we are also treating it as a critical vulnerability in pretix.

Affected versions: pretix versions 1.0.0 until 2023.7.1 are affected.

This issue has been found by a security researcher and reported to us in private.

Fixed versions

All pretix installations are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 4.20, please upgrade to a recent version now.

• 2023.7.3
• 2023.6.3
• 4.20.4

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.