diff -Nru ghostscript-9.53.3~dfsg/debian/changelog ghostscript-9.53.3~dfsg/debian/changelog
--- ghostscript-9.53.3~dfsg/debian/changelog	2025-03-31 16:43:42.000000000 +0530
+++ ghostscript-9.53.3~dfsg/debian/changelog	2025-10-10 13:03:38.000000000 +0530
@@ -1,3 +1,10 @@
+ghostscript (9.53.3~dfsg-7+deb11u11) bullseye-security; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2025-7462, CVE-2025-59798, CVE-2025-59799
+
+ -- Abhijith PA <abhijith@debian.org>  Fri, 10 Oct 2025 13:03:38 +0530
+
 ghostscript (9.53.3~dfsg-7+deb11u10) bullseye-security; urgency=medium
 
   * Non-maintainer upload by the LTS Team.
diff -Nru ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-59798.patch ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-59798.patch
--- ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-59798.patch	1970-01-01 05:30:00.000000000 +0530
+++ ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-59798.patch	2025-09-29 13:02:23.000000000 +0530
@@ -0,0 +1,128 @@
+From 0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 22 May 2025 12:25:41 +0100
+Subject: pdfwrite - avoid buffer overrun
+
+Bug #708539 "Buffer overflow in pdf_write_cmap"
+
+The proposed fix in the report solves the buffer overrun, but does not
+tackle a number of other problems.
+
+This commit checks the result of stream_puts() in
+pdf_write_cid_system_info_to_stream() and correctly signals an error to
+the caller if that fails.
+
+In pdf_write_cid_system_info we replace a (rather small!) fixed size
+buffer with a dynamically allocated one using the lengths of the strings
+which pdf_write_cid_system_info_to_stream() will write, and a small
+fixed overhead to deal with the keys and initial byte '/'.
+
+Because 'buf' is used in the stream 's', if it is too small to hold all
+the CIDSystemInfo then we would get an error which was simply discarded
+previously.
+
+We now should avoid the potential error by ensuring the buffer is large
+enough for all the information, and if we do get an error we no longer
+silently ignore it, which would write an invalid PDF file.
+---
+ devices/vector/gdevpdtw.c | 52 +++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 41 insertions(+), 11 deletions(-)
+
+--- a/devices/vector/gdevpdtw.c
++++ b/devices/vector/gdevpdtw.c
+@@ -695,7 +695,8 @@ static int
+ pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s,
+                           const gs_cid_system_info_t *pcidsi, gs_id object_id)
+ {
+-    byte *Registry, *Ordering;
++    byte *Registry = NULL, *Ordering = NULL;
++    int code = 0;
+ 
+     Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry");
+     if (!Registry)
+@@ -726,14 +727,19 @@ pdf_write_cid_system_info_to_stream(gx_d
+         }
+         s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size);
+     }
+-    stream_puts(s, "<<\n/Registry");
++    code = stream_puts(s, "<<\n/Registry");
++    if (code < 0)
++        goto error;
+     s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK);
+-    stream_puts(s, "\n/Ordering");
++    code = stream_puts(s, "\n/Ordering");
++    if(code < 0)
++        goto error;
+     s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK);
++error:
+     pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement);
+     gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer");
+     gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer");
+-    return 0;
++    return code;
+ }
+ 
+ int
+@@ -778,31 +784,55 @@ pdf_write_cmap(gx_device_pdf *pdev, cons
+     *ppres = writer.pres;
+     writer.pres->where_used = 0; /* CMap isn't a PDF resource. */
+     if (!pcmap->ToUnicode) {
+-        byte buf[200];
++        byte *buf = NULL;
++        uint64_t buflen = 0;
+         cos_dict_t *pcd = (cos_dict_t *)writer.pres->object;
+         stream s;
+ 
++        /* We use 'buf' for the stream 's' below and that needs to have some extra
++         * space for the CIDSystemInfo. We also need an extra byte for the leading '/'
++         * 100 bytes is ample for the overhead.
++         */
++        buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100;
++        if (buflen > max_uint)
++            return_error(gs_error_limitcheck);
++
++        buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap");
++        if (buf == NULL)
++            return_error(gs_error_VMerror);
++
+         code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode);
+-        if (code < 0)
++        if (code < 0) {
++            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
++        }
+         buf[0] = '/';
+         memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size);
+         code = cos_dict_put_c_key_string(pcd, "/CMapName",
+                         buf, pcmap->CMapName.size + 1);
+-        if (code < 0)
++        if (code < 0) {
++            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
++        }
+         s_init(&s, pdev->memory);
+-        swrite_string(&s, buf, sizeof(buf));
++        swrite_string(&s, buf, buflen);
+         code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0);
+-        if (code < 0)
++        if (code < 0) {
++            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
++        }
+         code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo",
+                         buf, stell(&s));
+-        if (code < 0)
++        if (code < 0) {
++            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
++        }
+         code = cos_dict_put_string_copy(pcd, "/Type", "/CMap");
+-        if (code < 0)
++        if (code < 0) {
++            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
++        }
++        gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+     }
+     if (pcmap->CMapName.size == 0) {
+         /* Create an arbitrary name (for ToUnicode CMap). */
diff -Nru ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-59799.patch ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-59799.patch
--- ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-59799.patch	1970-01-01 05:30:00.000000000 +0530
+++ ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-59799.patch	2025-09-29 13:09:22.000000000 +0530
@@ -0,0 +1,35 @@
+From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001
+From: Piotr Kajda <petermasterperfect@gmail.com>
+Date: Thu, 8 May 2025 11:37:09 +0100
+Subject: pdfwrite - bounds check some strings
+
+Bug #708517
+
+This differs very slightly from the proposed patch in the bug report, I
+had a quick scout through the C file and found another similar case.
+
+Both fixed here.
+---
+ devices/vector/gdevpdfm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/devices/vector/gdevpdfm.c
++++ b/devices/vector/gdevpdfm.c
+@@ -199,6 +199,8 @@ pdfmark_coerce_dest(gs_param_string *dst
+ {
+     const byte *data = dstr->data;
+     uint size = dstr->size;
++    if (size > MAX_DEST_STRING)
++        return_error(gs_error_limitcheck);
+     if (size == 0 || data[0] != '(')
+         return 0;
+     /****** HANDLE ESCAPES ******/
+@@ -846,6 +848,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pde
+             char buf[30];
+             int d0, d1;
+ 
++            if (Action[1].size > 29)
++                return_error(gs_error_rangecheck);
+             memcpy(buf, Action[1].data, Action[1].size);
+             buf[Action[1].size] = 0;
+             if (sscanf(buf, "%d %d R", &d0, &d1) == 2)
diff -Nru ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-7462.patch ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-7462.patch
--- ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-7462.patch	1970-01-01 05:30:00.000000000 +0530
+++ ghostscript-9.53.3~dfsg/debian/patches/CVE-2025-7462.patch	2025-10-10 12:27:14.000000000 +0530
@@ -0,0 +1,39 @@
+Backport of:
+
+From 619a106ba4c4abed95110f84d5efcd7aee38c7cb Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 25 Jun 2025 13:23:41 +0100
+Subject: Bug 708606: Catch a null file pointer closing pdfwrite.
+
+In the event of an error opening a new output file.
+---
+ devices/vector/gdevpdf.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/devices/vector/gdevpdf.c
++++ b/devices/vector/gdevpdf.c
+@@ -897,15 +897,20 @@ pdf_open(gx_device * dev)
+ static int
+ pdf_ferror(gx_device_pdf *pdev)
+ {
+-    gp_fflush(pdev->file);
++    int code = 0;
++
++    if (pdev->file != NULL) {
++        gp_fflush(pdev->file);
++        code = gp_ferror(pdev->file);
++    }
+     gp_fflush(pdev->xref.file);
+     sflush(pdev->strm);
+     sflush(pdev->asides.strm);
+     sflush(pdev->streams.strm);
+     sflush(pdev->pictures.strm);
+-    return gp_ferror(pdev->file) || gp_ferror(pdev->xref.file) ||
+-        gp_ferror(pdev->asides.file) || gp_ferror(pdev->streams.file) ||
+-        gp_ferror(pdev->pictures.file);
++    return gp_ferror(pdev->xref.file) || gp_ferror(pdev->asides.file) ||
++        gp_ferror(pdev->streams.file) || gp_ferror(pdev->pictures.file) ||
++        code;
+ }
+ 
+ /* Compute the dominant text orientation of a page. */
diff -Nru ghostscript-9.53.3~dfsg/debian/patches/series ghostscript-9.53.3~dfsg/debian/patches/series
--- ghostscript-9.53.3~dfsg/debian/patches/series	2025-03-31 16:43:42.000000000 +0530
+++ ghostscript-9.53.3~dfsg/debian/patches/series	2025-10-10 12:26:58.000000000 +0530
@@ -44,3 +44,6 @@
 0005-Bug-708131-Fix-confusion-between-bytes-and-shorts.patch
 0006-Bug-708192-Fix-potential-print-buffer-overflow.patch
 0007-Fix-Coverity-IDs-457699-and-457700.patch
+CVE-2025-7462.patch
+CVE-2025-59798.patch
+CVE-2025-59799.patch