CVE-2025-27837: 
Ghostscript vulnerability analysis and mitigation

An issue was discovered in Artifex Ghostscript before version 10.05.0, identified as CVE-2025-27837. The vulnerability allows access to arbitrary files through a truncated path with invalid UTF-8 characters, specifically affecting the base/gpmswin.c and base/winrtsup.cpp components. The vulnerability was discovered on January 7, 2025, and publicly disclosed on March 25, 2025 (NVD, [Ghostscript Bug](https://bugs.ghostscript.com/showbug.cgi?id=708238)).

The vulnerability stems from improper validation of return values in the gpmswin.c:gpopenscratchfileimpl function. Specifically, the gputf8touint16 function can fail, leaving the output buffer with only a partially decoded path. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability could allow attackers to access arbitrary files on affected systems. The bug particularly impacts Windows-specific codepaths, potentially enabling unauthorized file access through manipulated UTF-8 character sequences (Debian Tracker, Ubuntu Security).

The vulnerability has been fixed in Ghostscript version 10.05.0. The fix includes proper checking of error codes and returned lengths in the Windows-specific platform code, mswinpr2 printer, and ICC parameter parsing. The patch also removes unnecessary dynamic allocation and corrects the return value behavior of GetTempFileNameWRT (Ghostscript Bug).