CVE-2025-59801: 
Ghostscript vulnerability analysis and mitigation

A stack-based buffer overflow vulnerability was discovered in Artifex GhostXPS before version 10.06.0, identified as CVE-2025-59801. The vulnerability exists in the xpsunpredicttiff function in xpstiff.c due to insufficient validation of the samplesperpixel value. The issue affects the XPS document processing functionality of GhostXPS (Ghostscript Bug).

The vulnerability stems from a lack of bounds checking on the samplesperpixel parameter in the xpsunpredicttiff function. The function uses a fixed-size array of 32 bytes but fails to validate the samplesperpixel value, allowing an attacker to trigger a stack-based buffer overflow. The XPS specification only permits SamplesPerPixel values of 1, 3, 4, or 5, but this validation was missing in the affected versions (Ghostscript Commit).

The vulnerability could potentially lead to remote code execution (RCE) when processing maliciously crafted XPS files. However, successful exploitation would require bypassing modern security protections such as ASLR and stack canaries, likely requiring additional information leak vulnerabilities to achieve full RCE (Ghostscript Bug).

The vulnerability has been patched in GhostXPS version 10.06.0. The fix implements proper validation of TIFF values, including checks for SamplesPerPixel, BitsPerSample, and Compression values. Users should upgrade to version 10.06.0 or later to address this vulnerability (Ghostscript Commit).