2354963 – (CVE-2025-27831) CVE-2025-27831 Ghostscript: Text buffer overflow with long characters

Bug 2354963 (CVE-2025-27831) - CVE-2025-27831 Ghostscript: Text buffer overflow with long characters

Summary: CVE-2025-27831 Ghostscript: Text buffer overflow with long characters

Keywords:
Status:	NEW
Alias:	CVE-2025-27831
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2355007 2355008
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-25 21:01 UTC by OSIDB Bzimport
Modified:	2025-04-04 08:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)
Demo exploit document which opens Gnome calculator on Fedora 41 (12.54 KB, application/zip) 2025-04-04 08:00 UTC, Alexander Neumann	no flags	Details
View All

Description OSIDB Bzimport 2025-03-25 21:01:48 UTC

An issue was discovered in Artifex Ghostscript before 10.05.0. The DOCXWRITE TXTWRITE device has a text buffer overflow via long characters to devices/vector/doc_common.c.

Comment 2 Alexander Neumann 2025-04-04 08:00:17 UTC

Why is this issue only rated a medium risk? It is highly critical: receiving a document via email and opening it with LibreOffice directly leads to embedded code being executed!

The needed exploit code is public, I'll attached a demo.odt document for you to try, it only opens Gnome Calculator.

For Fedora 41 (stable) there's already a patched version of Ghostscript in testing, can you please expedite the move to stable? Thank you very much!

Comment 3 Alexander Neumann 2025-04-04 08:00:51 UTC

Created attachment 2083389 [details]
Demo exploit document which opens Gnome calculator on Fedora 41

Note You need to log in before you can comment on or make changes to this bug.