Artifex Ghostscript Overlong UTF-8 Encoding Vulnerability Leading to Arbitrary File Access

A vulnerability in Artifex Ghostscript versions prior to 10.05.0 allows for improper handling of overlong UTF-8 encodings in the 'decode_utf8' function within 'base/gp_utf8.c'. This flaw arises from an incomplete resolution of a previous vulnerability, CVE-2024-46954, and can be exploited to perform arbitrary file read and write operations, as well as directory listings. Such exploitation could potentially lead to remote code execution, depending on the system's configuration.

Impact

Exploitation of this vulnerability allows for arbitrary file read and write operations, directory listings, and potentially remote code execution, based on the system's configuration.

Reproduction

The vulnerability can be reproduced by crafting a PostScript file that includes overlong UTF-8 sequences, such as those beginning with 0xC1 0x9C. When this file is processed by Ghostscript, the 'decode_utf8' function fails to properly validate the UTF-8 encoding, bypassing security checks and allowing for path traversal. This can be demonstrated by writing a file that exploits the overlong encoding vulnerability to read or write arbitrary files on the system.

Remediation

Users can upgrade to Ghostscript version 10.05.0 or later, where this vulnerability has been fixed.