Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 955140 (CVE-2025-46646) - <app-text/ghostscript-gpl-10.05.1: mishandles overlong UTF-8 encoding (incomplete fix for CVE-2024-46954)
Summary: <app-text/ghostscript-gpl-10.05.1: mishandles overlong UTF-8 encoding (incomp...
Status: IN_PROGRESS
Alias: CVE-2025-46646
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: ?? [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2025-05-01 03:05 UTC by Sam James
Modified: 2025-05-01 03:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-01 03:05:05 UTC 
10.05.0 vs 10.05.1:
```
-<h2><a name="Version10.05.0"></a>Version 10.05.0 (2025-03-12)</h2>
+<h2><a name="Version10.05.1"></a>Version 10.05.1 (2025-04-29)</h2>
 <p> Highlights in this release include:
 <ul>
 </li>
 <li>
-<p>This release addresses CVEs: CVE-2025-27835, CVE-2025-27832, CVE-2025-27831, CVE-2025-27836, CVE-2025-27830, CVE-2025-27833, CVE-2025-27837, CVE-2025-27834
-<p>In addition one other security fix for which a CVE is pending which will be added to the online version of this document when assigned:
-<a href="https://ghostscript.readthedocs.io/en/gs10.05.0/News.html">News</a>
+<p>The 10.05.1 patch release addresses:
+<ul>
+<li>
+<p>An overflow issue in Freetype on platforms where <code>long</code> is a 4 byte (rather than 8 byte) type (Microsoft Windows, for example)
+causing corrupted glyph rendering at higher resolutions
 </li>
 <li>
-<p>The 10.05.0 release deprecates the non-standard operator &quot;selectdevice&quot;,
+<p>An issue with embedded files, affecting Zugferd format PDF creation.
+</li>
+<li>
+<p>Broken logic in PDF Optional Content processing
+</li>
+<li>
+<p>Potential slow down due to searching for identifiable font files
+</li>
+<li>
+<p>A small number of extreme edge case segmentation faults.
+</li>
+</ul>
+</li>
+<li>
+<p>This release addresses CVEs: CVE-2025-27835, CVE-2025-27832, CVE-2025-27831, CVE-2025-27836, CVE-2025-27830, CVE-2025-27833, CVE-2025-27837, CVE-2025-27834, CVE-2025-46646
+</li>
+<li>
+<p>The 10.05.1 release deprecates the non-standard operator &quot;selectdevice&qu
```
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-01 03:06:34 UTC 
The only CVE listed there which is NOT covered in bug 951285 (so 10.05.0) is  CVE-2025-46646:
"""
In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954.
"""
Comment 2 Larry the Git Cow gentoo-dev 2025-05-01 03:08:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dba695d97e78995ce1d6bbb43eb96e05cd6ef53

commit 9dba695d97e78995ce1d6bbb43eb96e05cd6ef53
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-05-01 03:07:56 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-05-01 03:08:09 +0000

    app-text/ghostscript-gpl: add 10.05.1
    
    Bug: https://bugs.gentoo.org/955140
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/ghostscript-gpl/Manifest                  |   1 +
 .../ghostscript-gpl/ghostscript-gpl-10.05.1.ebuild | 204 +++++++++++++++++++++
 2 files changed, 205 insertions(+)