CVE-2019-25059: 
Ghostscript vulnerability analysis and mitigation

Artifex Ghostscript through version 9.26 contains a security vulnerability related to the mishandling of .completefont. This vulnerability is particularly notable as it emerged from an incomplete fix for a previous vulnerability (CVE-2019-3839). The issue was disclosed and assigned CVE-2019-25059 on April 25, 2022 (CVE Mitre).

The vulnerability stems from the improper handling of privileged PostScript operators that remained accessible from various locations. This security flaw allows specially crafted PostScript files to bypass the constraints imposed by the -dSAFER security feature, potentially gaining unauthorized access to the file system (Debian LTS).

When exploited, this vulnerability enables attackers to access the file system outside of the security constraints that should be enforced by the -dSAFER option. This poses a significant security risk as it could lead to unauthorized file system access and potential system compromise (Debian LTS).

The issue has been addressed in various distributions with security updates. For Debian 9 (stretch), the fix was implemented in version 9.26a~dfsg-0+deb9u9. Other versions have also received patches, including bullseye (9.53.3~dfsg-7+deb11u9) and bookworm (10.0.0~dfsg-11+deb12u6) (Security Tracker).