An issue was discovered in Artifex Ghostscript before 10.05.0. The NPDL device has a Compression buffer overflow for contrib/japanese/gdevnpdl.c.

vendor_unpatched cve-2025-27832: Unpatched CVEs for Debian Linux (cve-2025-27832)

The version of ghostscript installed on the remote host is prior to 8.70-24.34. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2025-1967 advisory.

    The calculation of the buffer size was being done with int values, and overflowing that data type. The bug     has existed since the creation of the file contrib/japanese/gdevnpdl.cThe calculation of the buffer size     was being done with int values, and overflowing that data type. By leaving the total size calculation to     the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this     case, but also meaning the memory manager overflow protection will be effective.

    Fixed in ghostpdl-10.05.0

    Info: https://bugs.ghostscript.com/show_bug.cgi?id=708133Patch: https://cgit.ghostscript.com/cgi-     bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41 (CVE-2025-27832)

    Potential print buffer overflow. Fixed in ghostpdl-10.05.0 by implementing stricter buffer length     validation.

    Info: https://bugs.ghostscript.com/show_bug.cgi?id=708192Patch: https://cgit.ghostscript.com/cgi-     bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919 (ghostpdl-10.05.0)     (CVE-2025-27836)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-3a7a29de24 advisory.

    CVE-2025-27835 ghostscript: Buffer overflow when converting glyphs to unicode (fedora#2355025)

    CVE-2025-27834 ghostscript: Buffer overflow caused by an oversized Type 4 function in a PDF     (fedora#2355023)

    CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow (fedora#2355021)

    CVE-2025-27836 ghostscript: device: Print buffer overflow (fedora#2355019)

    CVE-2025-27830 ghostscript: Buffer overflow during serialization of DollarBlend in font (fedora#2355015)

    CVE-2025-27833 ghostscript: Buffer overflow with long TTF font name (fedora#2355011)

    CVE-2025-27837 ghostscript: Access to arbitrary files through truncated path with invalid UTF-8     (fedora#2355009)

    CVE-2025-27831 ghostscript: Text buffer overflow with long characters (fedora#2355007)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4118 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4118-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     April 07, 2025                                https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : ghostscript     Version        : 9.53.3~dfsg-7+deb11u10     CVE ID         : CVE-2025-27830 CVE-2025-27831 CVE-2025-27832 CVE-2025-27835                      CVE-2025-27836

    Multiple vulnerabilities have been fixed in the PostScript/PDF     interpreter Ghostscript.

    CVE-2025-27830

        Buffer overflow via serialization of DollarBlend

    CVE-2025-27831

        Unicode decoding overrun

    CVE-2025-27832

        Integer overflow leading to buffer overflow

    CVE-2025-27835

        Confusion between bytes and shorts

    CVE-2025-27836

        Buffer overflow in bj10v device

    For Debian 11 bullseye, these problems have been fixed in version     9.53.3~dfsg-7+deb11u10.

    We recommend that you upgrade your ghostscript packages.

    For the detailed security status of ghostscript please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ghostscript

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-47818d27ba advisory.

    CVE-2025-27835 ghostscript: Buffer overflow when converting glyphs to unicode (fedora#2355026)

    CVE-2025-27834 ghostscript: Buffer overflow caused by an oversized Type 4 function in a PDF     (fedora#2355024)

    CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow (fedora#2355022)

    CVE-2025-27836 ghostscript: device: Print buffer overflow (fedora#2355020)

    CVE-2025-27830 ghostscript: Buffer overflow during serialization of DollarBlend in font (fedora#2355016)

    CVE-2025-27833 ghostscript: Buffer overflow with long TTF font name (fedora#2355012)

    CVE-2025-27837 ghostscript: Access to arbitrary files through truncated path with invalid UTF-8     (fedora#2355010)

    CVE-2025-27831 ghostscript: Text buffer overflow with long characters (fedora#2355008)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:1127-1 advisory.

    - CVE-2025-27831: Fixed text buffer overflow in DOCXWRITE TXTWRITE device via long characters to     devices/vector/doc_common.c (bsc#1240075)
      - CVE-2025-27832: Fixed compression buffer overflow in NPDL device for contrib/japanese/gdevnpdl.c     (bsc#1240077)
      - CVE-2025-27835: Fixed buffer overflow occurs when converting glyphs to Unicode in psi/zbfont.c     (bsc#1240080)
      - CVE-2025-27836: Fixed Print buffer overflow in BJ10V device in contrib/japanese/gdev10v.c     (bsc#1240081)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:1118-1 advisory.

    - CVE-2025-27831: Fixed text buffer overflow in DOCXWRITE TXTWRITE device via long characters to     devices/vector/doc_common.c (bsc#1240075)
      - CVE-2025-27832: Fixed compression buffer overflow in NPDL device for contrib/japanese/gdevnpdl.c     (bsc#1240077)
      - CVE-2025-27835: Fixed buffer overflow occurs when converting glyphs to Unicode in psi/zbfont.c     (bsc#1240080)
      - CVE-2025-27836: Fixed Print buffer overflow in BJ10V device in contrib/japanese/gdev10v.c     (bsc#1240081)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-907 advisory.

    The calculation of the buffer size was being done with int values, and overflowing that data type. The bug     has existed since the creation of the file contrib/japanese/gdevnpdl.cThe calculation of the buffer size     was being done with int values, and overflowing that data type. By leaving the total size calculation to     the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this     case, but also meaning the memory manager overflow protection will be effective.

    Fixed in ghostpdl-10.05.0

    Info: https://bugs.ghostscript.com/show_bug.cgi?id=708133Patch: https://cgit.ghostscript.com/cgi-     bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41 (CVE-2025-27832)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of ghostscript installed on the remote host is prior to 9.54.0-9. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2805 advisory.

    Potential integer and buffer overflow with DollarBlend during serializing a multiple master font for     passing to Freetype. Fixed by changing a variable type from short to unsigned short and checking if a     length variable exceeds permitted limit.Fixed in ghostpdl-10.05.0 (CVE-2025-27830)

    Text buffer overflow with long characters; the txt_get_unicode function was copying too few bytes from the     fixed glyph name to unicode mapping tables. This was probably causing incorrect Unicode code points in     relatively rare cases but not otherwise a problem. However, a badly formed GlyphNames2Unicode array     attached to a font could cause the decoding to spill over the assigned buffer.

    Patched in ghostpdl-10.05.0 (CVE-2025-27831)

    The calculation of the buffer size was being done with int values, and overflowing that data type. The bug     has existed since the creation of the file contrib/japanese/gdevnpdl.cThe calculation of the buffer size     was being done with int values, and overflowing that data type. By leaving the total size calculation to     the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this     case, but also meaning the memory manager overflow protection will be effective.

    Fixed in ghostpdl-10.05.0

    Info: https://bugs.ghostscript.com/show_bug.cgi?id=708133Patch: https://cgit.ghostscript.com/cgi-     bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41 (CVE-2025-27832)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7378-1 advisory.

    It was discovered that Ghostscript incorrectly serialized DollarBlend in certain fonts. An attacker could     use this issue to cause Ghostscript to crash, resulting in a denial of service, or possibly execute     arbitrary code. (CVE-2025-27830)

    It was discovered that Ghostscript incorrectly handled the DOCXWRITE TXTWRITE device. An attacker could     use this issue to cause Ghostscript to crash, resulting in a denial of service, or possibly execute     arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 24.10.
    (CVE-2025-27831)

    It was discovered that Ghostscript incorrectly handled the NPDL device. An attacker could use this issue     to cause Ghostscript to crash, resulting in a denial of service, or possibly execute arbitrary code.
    (CVE-2025-27832)

    It was discovered that Ghostscript incorrectly handled certain long TTF file names. An attacker could use     this issue to cause Ghostscript to crash, resulting in a denial of service, or possibly execute arbitrary     code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2025-27833)

    It was discovered that Ghostscript incorrectly handled oversized Type 4 functions in certain PDF     documents. An attacker could use this issue to cause Ghostscript to crash, resulting in a denial of     service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,     and Ubuntu 24.10. (CVE-2025-27834)

    It was discovered that Ghostscript incorrectly handled converting certain glyphs to Unicode. An attacker     could use this issue to cause Ghostscript to crash, resulting in a denial of service, or possibly execute     arbitrary code. (CVE-2025-27835)

    It was discovered that Ghostscript incorrectly handled the BJ10V device. An attacker could use this issue     to cause Ghostscript to crash, resulting in a denial of service, or possibly execute arbitrary code.
    (CVE-2025-27836)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5888 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5888-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     March 26, 2025                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : ghostscript     CVE ID         : CVE-2025-27830 CVE-2025-27831 CVE-2025-27832 CVE-2025-27833                      CVE-2025-27834 CVE-2025-27835 CVE-2025-27836

    Multiple security issues were discovered in Ghostscript, the GPL     PostScript/PDF interpreter, which could result in denial of service and     potentially the execution of arbitrary code if malformed document files     are processed.

    For the stable distribution (bookworm), these problems have been fixed in     version 10.0.0~dfsg-11+deb12u7.

    We recommend that you upgrade your ghostscript packages.

    For the detailed security status of ghostscript please refer to its     security tracker page at:
    https://security-tracker.debian.org/tracker/ghostscript

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
234705	Amazon Linux AMI : ghostscript (ALAS-2025-1967)	Nessus	Amazon Linux Local Security Checks	critical
234110	Fedora 40 : ghostscript (2025-3a7a29de24)	Nessus	Fedora Local Security Checks	critical
233980	Debian dla-4118 : ghostscript - security update	Nessus	Debian Local Security Checks	critical
233884	Fedora 41 : ghostscript (2025-47818d27ba)	Nessus	Fedora Local Security Checks	critical
233836	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : ghostscript (SUSE-SU-2025:1127-1)	Nessus	SuSE Local Security Checks	critical
233800	SUSE SLES12 Security Update : ghostscript (SUSE-SU-2025:1118-1)	Nessus	SuSE Local Security Checks	critical
233700	Amazon Linux 2023 : ghostscript, ghostscript-gtk, ghostscript-tools-dvipdf (ALAS2023-2025-907)	Nessus	Amazon Linux Local Security Checks	critical
233686	Amazon Linux 2 : ghostscript (ALAS-2025-2805)	Nessus	Amazon Linux Local Security Checks	critical
233470	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : Ghostscript vulnerabilities (USN-7378-1)	Nessus	Ubuntu Local Security Checks	critical
233372	Debian dsa-5888 : ghostscript - security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2025-27832

critical

Tenable Plugins

Coming Soon

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical