ALAS-2025-908

Amazon Linux 2023 Security Advisory: ALAS-2025-908
Advisory Release Date: 2025-03-26 20:44 Pacific
Advisory Updated Date: 2025-04-01 11:34 Pacific
Severity: Important
Issue Overview:

Potential integer and buffer overflow with DollarBlend during serializing a multiple master font for passing to Freetype. Fixed by changing a variable type from short to unsigned short and checking if a length variable exceeds permitted limit.
Fixed in ghostpdl-10.05.0 (CVE-2025-27830)

Text buffer overflow with long characters; the txt_get_unicode function was copying too few bytes from the fixed glyph name to unicode mapping tables. This was probably causing incorrect Unicode code points in relatively rare cases but not otherwise a problem. However, a badly formed GlyphNames2Unicode array attached to a font could cause the decoding to spill over the assigned buffer.

Patched in ghostpdl-10.05.0 (CVE-2025-27831)


Affected Packages:

ghostscript


Issue Correction:
Run dnf update ghostscript --releasever 2023.7.20250331 to update your system.

New Packages:
aarch64:
    libgs-devel-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-debuginfo-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-tools-fonts-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-x11-debuginfo-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-tools-printing-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-tools-dvipdf-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-9.56.1-7.amzn2023.0.15.aarch64
    libgs-debuginfo-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-gtk-debuginfo-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-gtk-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-x11-9.56.1-7.amzn2023.0.15.aarch64
    libgs-9.56.1-7.amzn2023.0.15.aarch64
    ghostscript-debugsource-9.56.1-7.amzn2023.0.15.aarch64

noarch:
    ghostscript-doc-9.56.1-7.amzn2023.0.15.noarch

src:
    ghostscript-9.56.1-7.amzn2023.0.15.src

x86_64:
    ghostscript-tools-printing-9.56.1-7.amzn2023.0.15.x86_64
    libgs-debuginfo-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-x11-debuginfo-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-tools-dvipdf-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-x11-9.56.1-7.amzn2023.0.15.x86_64
    libgs-devel-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-tools-fonts-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-gtk-debuginfo-9.56.1-7.amzn2023.0.15.x86_64
    libgs-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-debuginfo-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-gtk-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-9.56.1-7.amzn2023.0.15.x86_64
    ghostscript-debugsource-9.56.1-7.amzn2023.0.15.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-27830, CVE-2025-27831

Mitre: CVE-2025-27830, CVE-2025-27831