packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:8f17f5acf4fa0605bfb01d9d27654732d1a91787
Branches Tags
packages:main
...
compare: packages:e90d1911efc82b8f648190572aee9a3c1b7a5ba0
Branches Tags
packages:main

10 Commits
8f17f5acf4 ... e90d1911ef

Author SHA1 Message Date
openeuler-ci-bot
e90d1911ef
!147 sync patch from openEuler-24.03-LTS 
From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-11-18 09:30:38 +00:00
liningjie
3937b54462 sync patch from openEuler-24.03-LTS 2024-11-14 18:18:50 +08:00
openeuler-ci-bot
255f6aca27
!128 Fix CVE-2024-46955 
From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-11-01 08:19:21 +00:00
李宁杰
a0f65912c3
Fix CVE-2024-46955 2024-10-30 08:20:04 +00:00
openeuler-ci-bot
a2618ff083
!125 Fix CVE-2024-46956 
From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-10-30 08:07:48 +00:00
liningjie
c7fbb0430c Fix CVE-2024-46956 2024-10-29 17:00:24 +08:00
openeuler-ci-bot
67cb55343d
!120 [sync] PR-114: Fix CVE-2024-46953 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-10-29 08:32:28 +00:00
liningjie
66e9dee10c Fix CVE-2024-46953 
(cherry picked from commit 2713d387491bdd992865c8f00f9703cc8572ccb9)
 2024-10-25 18:22:49 +08:00
openeuler-ci-bot
e2fc5059df
!104 [sync] PR-99: Fix CVE-2024-29511 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-07-16 02:12:42 +00:00
zhangxianting
f6a32ad804 Fix CVE-2024-29511 
(cherry picked from commit 4843a060331367cf1583665d1035f6b0f38e777d)
 2024-07-12 18:49:23 +08:00
13 changed files with 532 additions and 10 deletions
Show Stats Expand all files Collapse all files

3
Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
View File

@ -1,8 +1,9 @@
From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 24 Jan 2024 18:25:12 +0000
Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related
Subject: [PATCH 3/7] Bug 707510(3): Bounds checks when using CIDFont related
params
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514
Specifically, for CIDFont substitution.
---

215
Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch Normal file
View File

@ -0,0 +1,215 @@
From 638159c43dbb48425a187d244ec288d252d0ecf4 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 31 Jan 2024 14:08:18 +0000
Subject: [PATCH 6/7] Bug 707510(5)2: The original fix was overly aggressive
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=638159c43dbb48425a187d244ec288d252d0ecf4
The way the default OCRLanguage value was set was for the relevant get_params
methods to check if the value had been set, and if not return a default value.
This could result in the first time the put_params seeing that value being after
path control has been enabled, meaning it would throw an invalidaccess error.
This changes how we set the default: they now uses an init_device method, so
the string is populated from the device's creation. This works correctly for
both the default value, and for values set on the command line.
---
devices/gdevocr.c | 17 ++++++++++++++++-
devices/gdevpdfocr.c | 28 ++++++++++++++++++++++------
devices/vector/gdevpdf.c | 15 +++++++++++++++
devices/vector/gdevpdfp.c | 3 ++-
4 files changed, 55 insertions(+), 8 deletions(-)
diff --git a/devices/gdevocr.c b/devices/gdevocr.c
index 7f2c6ea3b..b874525de 100644
--- a/devices/gdevocr.c
+++ b/devices/gdevocr.c
@@ -30,6 +30,7 @@
#define X_DPI 72
#define Y_DPI 72
+static dev_proc_initialize_device(ocr_initialize_device);
static dev_proc_print_page(ocr_print_page);
static dev_proc_print_page(hocr_print_page);
static dev_proc_get_params(ocr_get_params);
@@ -55,6 +56,7 @@ ocr_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs_gray_bg(dev);
+ set_dev_proc(dev, initialize_device, ocr_initialize_device);
set_dev_proc(dev, open_device, ocr_open);
set_dev_proc(dev, close_device, ocr_close);
set_dev_proc(dev, get_params, ocr_get_params);
@@ -79,6 +81,7 @@ hocr_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs_gray_bg(dev);
+ set_dev_proc(dev, initialize_device, ocr_initialize_device);
set_dev_proc(dev, open_device, ocr_open);
set_dev_proc(dev, close_device, hocr_close);
set_dev_proc(dev, get_params, ocr_get_params);
@@ -102,6 +105,17 @@ const gx_device_ocr gs_hocr_device =
#define HOCR_HEADER "<html>\n <body>\n"
#define HOCR_TRAILER " </body>\n</html>\n"
+static int
+ocr_initialize_device(gx_device *dev)
+{
+ gx_device_ocr *odev = (gx_device_ocr *)dev;
+ const char *default_ocr_lang = "eng";
+
+ odev->language[0] = '\0';
+ strcpy(odev->language, default_ocr_lang);
+ return 0;
+}
+
static int
ocr_open(gx_device *pdev)
{
@@ -185,7 +199,8 @@ ocr_put_params(gx_device *dev, gs_param_list *plist)
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- if (pdev->memory->gs_lib_ctx->core->path_control_active) {
+ if (pdev->memory->gs_lib_ctx->core->path_control_active
+ && (strlen(pdev->language) != langstr.size || memcmp(pdev->language, langstr.data, langstr.size) != 0)) {
return_error(gs_error_invalidaccess);
}
else {
diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
index 0d3c42d8b..f2bec1b49 100644
--- a/devices/gdevpdfocr.c
+++ b/devices/gdevpdfocr.c
@@ -33,9 +33,9 @@
#include "gdevpdfimg.h"
#include "tessocr.h"
-int pdf_ocr_open(gx_device *pdev);
-int pdf_ocr_close(gx_device *pdev);
-
+static dev_proc_initialize_device(pdf_ocr_initialize_device);
+static dev_proc_open_device(pdf_ocr_open);
+static dev_proc_close_device(pdf_ocr_close);
static int
pdfocr_put_some_params(gx_device * dev, gs_param_list * plist)
@@ -50,7 +50,8 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist)
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) {
+ if (pdf_dev->memory->gs_lib_ctx->core->path_control_active
+ && (strlen(pdf_dev->ocr.language) != langstr.size || memcmp(pdf_dev->ocr.language, langstr.data, langstr.size) != 0)) {
return_error(gs_error_invalidaccess);
}
else {
@@ -152,6 +153,8 @@ pdfocr8_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs_gray(dev);
+ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
+ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
set_dev_proc(dev, open_device, pdf_ocr_open);
set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, close_device, pdf_ocr_close);
@@ -185,6 +188,7 @@ pdfocr24_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs_rgb(dev);
+ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
set_dev_proc(dev, open_device, pdf_ocr_open);
set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, close_device, pdf_ocr_close);
@@ -216,6 +220,7 @@ pdfocr32_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs_cmyk8(dev);
+ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
set_dev_proc(dev, open_device, pdf_ocr_open);
set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, close_device, pdf_ocr_close);
@@ -703,7 +708,18 @@ ocr_end_page(gx_device_pdf_image *dev)
return 0;
}
-int
+static int
+pdf_ocr_initialize_device(gx_device *dev)
+{
+ gx_device_pdf_image *ppdev = (gx_device_pdf_image *)dev;
+ const char *default_ocr_lang = "eng";
+
+ ppdev->ocr.language[0] = '\0';
+ strcpy(ppdev->ocr.language, default_ocr_lang);
+ return 0;
+}
+
+static int
pdf_ocr_open(gx_device *pdev)
{
gx_device_pdf_image *ppdev;
@@ -726,7 +742,7 @@ pdf_ocr_open(gx_device *pdev)
return 0;
}
-int
+static int
pdf_ocr_close(gx_device *pdev)
{
gx_device_pdf_image *pdf_dev;
diff --git a/devices/vector/gdevpdf.c b/devices/vector/gdevpdf.c
index 6e364d1c7..042e1b4e9 100644
--- a/devices/vector/gdevpdf.c
+++ b/devices/vector/gdevpdf.c
@@ -215,6 +215,7 @@ device_pdfwrite_finalize(const gs_memory_t *cmem, void *vpdev)
}
/* Driver procedures */
+static dev_proc_initialize_device(pdfwrite_initialize_device);
static dev_proc_open_device(pdf_open);
static dev_proc_output_page(pdf_output_page);
static dev_proc_close_device(pdf_close);
@@ -232,6 +233,7 @@ static dev_proc_close_device(pdf_close);
static void
pdfwrite_initialize_device_procs(gx_device *dev)
{
+ set_dev_proc(dev, initialize_device, pdfwrite_initialize_device);
set_dev_proc(dev, open_device, pdf_open);
set_dev_proc(dev, get_initial_matrix, gx_upright_get_initial_matrix);
set_dev_proc(dev, output_page, pdf_output_page);
@@ -777,6 +779,19 @@ pdf_reset_text(gx_device_pdf * pdev)
pdf_reset_text_state(pdev->text);
}
+static int
+pdfwrite_initialize_device(gx_device *dev)
+{
+#if OCR_VERSION > 0
+ gx_device_pdf *pdev = (gx_device_pdf *) dev;
+ const char *default_ocr_lang = "eng";
+ pdev->ocr_language[0] = '\0';
+ strcpy(pdev->ocr_language, default_ocr_lang);
+#endif
+ return 0;
+}
+
+
/* Open the device. */
static int
pdf_open(gx_device * dev)
diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
index 1f7106c0b..1fdfeaef3 100644
--- a/devices/vector/gdevpdfp.c
+++ b/devices/vector/gdevpdfp.c
@@ -472,7 +472,8 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
gs_param_string langstr;
switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
case 0:
- if (pdev->memory->gs_lib_ctx->core->path_control_active) {
+ if (pdev->memory->gs_lib_ctx->core->path_control_active
+ && (strlen(pdev->ocr_language) != langstr.size || memcmp(pdev->ocr_language, langstr.data, langstr.size) != 0)) {
return_error(gs_error_invalidaccess);
}
else {
--
2.34.1

3
Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
View File

@ -1,8 +1,9 @@
From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 24 Jan 2024 17:06:01 +0000
Subject: [PATCH 5/6] Bug 707510(5): Reject OCRLanguage changes after SAFER
Subject: [PATCH 5/7] Bug 707510(5): Reject OCRLanguage changes after SAFER
enabled
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3d4cfdc1a44
In the devices that support OCR, OCRLanguage really ought never to be set from
PostScript, so reject attempts to change it if path_control_active is true.

3
Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
View File

@ -1,8 +1,9 @@
From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:55:49 +0000
Subject: [PATCH 2/6] Bug 707510 - don't allow PDF files with bad Filters to
Subject: [PATCH 2/7] Bug 707510 - don't allow PDF files with bad Filters to
overflow the debug buffer
http://www.ghostscript.com/cgi-bin/findgit.cgi?77dc7f699beba606937b7ea23b50cf5974fa64b1
Item #2 of the report.

3
Bug-707510-don-t-use-strlen-on-passwords.patch
View File

@ -1,7 +1,8 @@
From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:58:22 +0000
Subject: [PATCH 1/6] Bug 707510 - don't use strlen on passwords
Subject: [PATCH 1/7] Bug 707510 - don't use strlen on passwords
http://www.ghostscript.com/cgi-bin/findgit.cgi?917b3a71fb20748965254631199ad98210d6c2fb
Item #1 of the report. This looks like an oversight when first coding
the routine. We should use the PostScript string length, because

3
Bug-707510-fix-LIBIDN-usage.patch
View File

@ -1,7 +1,8 @@
From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 12:16:56 +0000
Subject: [PATCH 6/6] Bug 707510 - fix LIBIDN usage
Subject: [PATCH 7/7] Bug 707510 - fix LIBIDN usage
http://www.ghostscript.com/cgi-bin/findgit.cgi?d99396635f3d6ac6a1168e1af21a669e5c8f695f
This wasn't a reported fault, but it bears fixing anyway.

3
Bug-707510-review-printing-of-pointers.patch
View File

@ -1,7 +1,8 @@
From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:53:44 +0000
Subject: [PATCH 4/6] Bug 707510 - review printing of pointers
Subject: [PATCH 4/7] Bug 707510 - review printing of pointers
http://www.ghostscript.com/cgi-bin/findgit.cgi?ff1013a0ab485b66783b70145e342a82c670906a
This is for item 4 of the report, which is addressed by the change in
gdevpdtb.c. That change uses a fixed name for fonts which have no name

31
backport-CVE-2024-46951.patch Normal file
View File

@ -0,0 +1,31 @@
From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:16:39 +0100
Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
Bug #707991
See bug report for details.
CVE-2024-46951
---
psi/zcolor.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index d4e7a4438..d3384d75d 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
code = array_get(imemory, pImpl, 0, &pPatInst);
if (code < 0)
return code;
+
+ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+ return_error(gs_error_typecheck);
cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
if (pattern_instance_uses_base_space(cc.pattern))
*n = n_comps;
--
2.34.1

61
backport-CVE-2024-46952.patch Normal file
View File

@ -0,0 +1,61 @@
From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Mon, 2 Sep 2024 15:14:01 +0100
Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams
Bug #708001 "Buffer overflow in PDF XRef stream"
See bug report. I've chosen to fix this by checking the values in the
W array; these can (currently at least) only have certain relatively
small values.
As a future proofing fix I've also updated field_size in
pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger
than required, but matches the W array values and so prevents the
mismatch which could lead to a buffer overrun.
CVE-2024-46952
---
pdf/pdf_xref.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
index 7e61113..ad45852 100644
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size)
static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W)
{
uint i, j;
- uint field_width = 0;
+ uint64_t field_width = 0;
uint32_t type = 0;
uint64_t objnum = 0, gen = 0;
byte *Buffer;
@@ -297,6 +297,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd
}
pdfi_countdown(a);
+ /* W[0] is either:
+ * 0 (no type field) or a single byte with the type.
+ * W[1] is either:
+ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored.
+ * W[2] is either:
+ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream.
+ *
+ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually
+ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number.
+ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits.
+ */
+ if (W[0] > 1 || W[1] > 8 || W[2] > 8) {
+ pdfi_close_file(ctx, XRefStrm);
+ pdfi_countdown(ctx->xref_table);
+ ctx->xref_table = NULL;
+ return code;
+ }
+
code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a);
if (code == gs_error_undefined) {
code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W);
--
2.43.0

66
backport-CVE-2024-46953.patch Normal file
View File

@ -0,0 +1,66 @@
From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 27 May 2024 13:38:36 +0100
Subject: [PATCH] Bug 707793: Check for overflow validating format string
for the output file name
CVE-2024-46953
---
base/gsdevice.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/base/gsdevice.c b/base/gsdevice.c
index 90e699ab4..c1eaedd85 100644
--- a/base/gsdevice.c
+++ b/base/gsdevice.c
@@ -1070,7 +1070,7 @@ static int
gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
{
bool have_format = false, field;
- int width[2], int_width = sizeof(int) * 3, w = 0;
+ uint width[2], int_width = sizeof(int) * 3, w = 0;
uint i;
/* Scan the file name for a format string, and validate it if present. */
@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
default: /* width (field = 0) and precision (field = 1) */
if (strchr("0123456789", pfn->fname[i])) {
width[field] = width[field] * 10 + pfn->fname[i] - '0';
+ if (width[field] > max_int)
+ return_error(gs_error_undefinedfilename);
continue;
} else if (0 == field && '.' == pfn->fname[i]) {
field++;
@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
/* Calculate a conservative maximum width. */
w = max(width[0], width[1]);
w = max(w, int_width) + 5;
+ if (w > max_int)
+ return_error(gs_error_undefinedfilename);
}
- return w;
+ return (int)w;
}
/*
@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt,
if (!pfn->fname)
return 0;
code = gx_parse_output_format(pfn, pfmt);
- if (code < 0)
+ if (code < 0) {
return code;
- if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
+ }
+
+ if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
+ code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
return_error(gs_error_undefinedfilename);
+ }
+
return 0;
}
--
2.34.1

60
backport-CVE-2024-46955.patch Normal file
View File

@ -0,0 +1,60 @@
From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:11:53 +0100
Subject: [PATCH] PS interpreter - check Indexed colour space index
Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
Check the 'index' is in the valid range (0 to hival) for the colour
space.
Also a couple of additional checks on the type of the 'proc' for
Indexed, DeviceN and Separation spaces. Make sure these really are
procs in case the user changed the colour space array.
CVE-2024-46955
---
psi/zcolor.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index c0d73c2..7d15ec7 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -3629,6 +3629,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int
code = array_get(imemory, sepspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4450,6 +4451,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna
code = array_get(imemory, devicenspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4865,6 +4867,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
code = array_get(imemory, space, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*ep = proc; /* lookup proc */
return o_push_estack;
} else {
@@ -4878,6 +4881,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
if (!r_has_type(op, t_integer))
return_error (gs_error_typecheck);
index = op->value.intval;
+ /* Ensure it is in range. See bug #707990 */
+ if (index < 0 || index > pcs->params.indexed.hival)
+ return_error(gs_error_rangecheck);
/* And remove it from the stack. */
ref_stack_pop(&o_stack, 1);
op = osp;
--
2.27.0

30
backport-CVE-2024-46956.patch Normal file
View File

@ -0,0 +1,30 @@
From ea69a1388245ad959d31c272b5ba66d40cebba2c Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Tue, 23 Jul 2024 11:48:39 +0100
Subject: [PATCH] PostScript interpreter - fix buffer length check
Bug 707895
See bug report for details.
CVE-2024-46956
---
psi/zfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/psi/zfile.c b/psi/zfile.c
index fe3f7e9..027f412 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -440,7 +440,7 @@ file_continue(i_ctx_t *i_ctx_p)
if (code == ~(uint) 0) { /* all done */
esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
return o_pop_estack;
- } else if (code > len) { /* overran string */
+ } else if (code > len - devlen) { /* overran string */
return_error(gs_error_rangecheck);
}
else if (iodev != iodev_default(imemory)
--
2.27.0

61
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.56.1
Release: 7
Release: 13
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -47,16 +47,28 @@ Patch108: fix-CVE-2024-33870.patch
Patch109: fix-CVE-2024-33871.patch
# https://bugs.ghostscript.com/show_bug.cgi?id=707510
# CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511
# CVE-2024-29509
Patch110: Bug-707510-don-t-use-strlen-on-passwords.patch
# CVE-2024-29506
Patch111: Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
# CVE-2024-29507
Patch112: Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
# CVE-2024-29508
Patch113: Bug-707510-review-printing-of-pointers.patch
# CVE-2024-29511
Patch114: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
Patch115: Bug-707510-fix-LIBIDN-usage.patch
Patch115: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch
Patch116: Bug-707510-fix-LIBIDN-usage.patch
# See bug thread for details
#This is the second part of the fix for CVE-2024-33869
Patch116: fix-CVE-2024-33869-second.patch
Patch117: fix-CVE-2024-33869-second.patch
Patch118: backport-CVE-2024-46953.patch
Patch119: backport-CVE-2024-46956.patch
Patch120: backport-CVE-2024-46951.patch
Patch121: backport-CVE-2024-46952.patch
Patch122: backport-CVE-2024-46955.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -141,7 +153,12 @@ PDF files using Ghostscript and dvips
%patch114 -p1
%patch115 -p1
%patch116 -p1
%patch117 -p1
%patch118 -p1
%patch119 -p1
%patch120 -p1
%patch121 -p1
%patch122 -p1
# Libraries that we already have packaged(see Build Requirements):
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
@ -235,6 +252,42 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Fri Nov 08 2024 liningjie <liningjie@xfusion.com> - 9.56.1-13
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46955
* Tue Nov 05 2024 liningjie <liningjie@xfusion.com> - 9.56.1-12
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46952
* Fri Nov 01 2024 liningjie <liningjie@xfusion.com> - 9.56.1-11
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46951
* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.56.1-10
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46956
* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.56.1-9
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46953
* Fri Jul 12 2024 zhangxianting <zhangxianting@uniontech.com> - 9.56.1-8
- Type:CVE
- ID:NA
- SUG:NA
- DECS: This is the second part of the fix for CVE-2024-29511
* Fri Jul 12 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 9.56.1-7
- Type:CVE
- ID:NA