CVE-2025-27832
Public on 2025-03-21
Modified on 2025-03-21
Description
The calculation of the buffer size was being done with int values, and overflowing that data type. The bug has existed since the creation of the file contrib/japanese/gdevnpdl.c
The calculation of the buffer size was being done with int values, and overflowing that data type. By leaving the total size calculation to the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this case, but also meaning the memory manager overflow protection will be effective.
Fixed in ghostpdl-10.05.0
Info: http://bugs.ghostscript.com/show_bug.cgi?id=708133
Patch: http://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41
The calculation of the buffer size was being done with int values, and overflowing that data type. By leaving the total size calculation to the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this case, but also meaning the memory manager overflow protection will be effective.
Fixed in ghostpdl-10.05.0
Info: http://bugs.ghostscript.com/show_bug.cgi?id=708133
Patch: http://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 1 | ghostscript | 2025-04-09 | ALAS-2025-1967 | Fixed |
| HAQM Linux 2 - Core | ghostscript | 2025-03-26 | ALAS2-2025-2805 | Fixed |
| HAQM Linux 2023 | ghostscript | 2025-03-26 | ALAS2023-2025-907 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 8.4 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv3 | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |