packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:e09858a0d3d2340ff75c10f43df88c8fca1945c4
Branches Tags
packages:main
..
compare: packages:e060c2aa4054e886ea02a9d81aa056560ed024cd
Branches Tags
packages:main

No commits in common. "e09858a0d3d2340ff75c10f43df88c8fca1945c4" and "e060c2aa4054e886ea02a9d81aa056560ed024cd" have entirely different histories.
e09858a0d3 ... e060c2aa40

6 changed files with 1 additions and 285 deletions
Show Stats Expand all files Collapse all files

31
backport-CVE-2024-46951.patch
View File

@ -1,31 +0,0 @@
From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:16:39 +0100
Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
Bug #707991
See bug report for details.
CVE-2024-46951
---
psi/zcolor.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index d4e7a4438..d3384d75d 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
code = array_get(imemory, pImpl, 0, &pPatInst);
if (code < 0)
return code;
+
+ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+ return_error(gs_error_typecheck);
cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
if (pattern_instance_uses_base_space(cc.pattern))
*n = n_comps;
--
2.34.1

66
backport-CVE-2024-46953.patch
View File

@ -1,66 +0,0 @@
From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 27 May 2024 13:38:36 +0100
Subject: [PATCH] Bug 707793: Check for overflow validating format string
for the output file name
CVE-2024-46953
---
base/gsdevice.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/base/gsdevice.c b/base/gsdevice.c
index 90e699ab4..c1eaedd85 100644
--- a/base/gsdevice.c
+++ b/base/gsdevice.c
@@ -1070,7 +1070,7 @@ static int
gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
{
bool have_format = false, field;
- int width[2], int_width = sizeof(int) * 3, w = 0;
+ uint width[2], int_width = sizeof(int) * 3, w = 0;
uint i;
/* Scan the file name for a format string, and validate it if present. */
@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
default: /* width (field = 0) and precision (field = 1) */
if (strchr("0123456789", pfn->fname[i])) {
width[field] = width[field] * 10 + pfn->fname[i] - '0';
+ if (width[field] > max_int)
+ return_error(gs_error_undefinedfilename);
continue;
} else if (0 == field && '.' == pfn->fname[i]) {
field++;
@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
/* Calculate a conservative maximum width. */
w = max(width[0], width[1]);
w = max(w, int_width) + 5;
+ if (w > max_int)
+ return_error(gs_error_undefinedfilename);
}
- return w;
+ return (int)w;
}
/*
@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt,
if (!pfn->fname)
return 0;
code = gx_parse_output_format(pfn, pfmt);
- if (code < 0)
+ if (code < 0) {
return code;
- if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
+ }
+
+ if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
+ code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
return_error(gs_error_undefinedfilename);
+ }
+
return 0;
}
--
2.34.1

60
backport-CVE-2024-46955.patch
View File

@ -1,60 +0,0 @@
From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:11:53 +0100
Subject: [PATCH] PS interpreter - check Indexed colour space index
Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
Check the 'index' is in the valid range (0 to hival) for the colour
space.
Also a couple of additional checks on the type of the 'proc' for
Indexed, DeviceN and Separation spaces. Make sure these really are
procs in case the user changed the colour space array.
CVE-2024-46955
---
psi/zcolor.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/psi/zcolor.c b/psi/zcolor.c
index 373bc06..7c00033 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -3635,6 +3635,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int
code = array_get(imemory, sepspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4457,6 +4458,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna
code = array_get(imemory, devicenspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4872,6 +4874,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
code = array_get(imemory, space, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*ep = proc; /* lookup proc */
return o_push_estack;
} else {
@@ -4885,6 +4888,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
if (!r_has_type(op, t_integer))
return_error (gs_error_typecheck);
index = op->value.intval;
+ /* Ensure it is in range. See bug #707990 */
+ if (index < 0 || index > pcs->params.indexed.hival)
+ return_error(gs_error_rangecheck);
/* And remove it from the stack. */
pop(1);
op = osp;
--
2.33.0

30
backport-CVE-2024-46956.patch
View File

@ -1,30 +0,0 @@
From ea69a1388245ad959d31c272b5ba66d40cebba2c Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Tue, 23 Jul 2024 11:48:39 +0100
Subject: [PATCH] PostScript interpreter - fix buffer length check
Bug 707895
See bug report for details.
CVE-2024-46956
---
psi/zfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/psi/zfile.c b/psi/zfile.c
index fe3f7e9..027f412 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -440,7 +440,7 @@ file_continue(i_ctx_t *i_ctx_p)
if (code == ~(uint) 0) { /* all done */
esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
return o_pop_estack;
- } else if (code > len) { /* overran string */
+ } else if (code > len - devlen) { /* overran string */
return_error(gs_error_rangecheck);
}
else if (iodev != iodev_default(imemory)
--
2.27.0

62
fix-CVE-2024-33871.patch
View File

@ -1,62 +0,0 @@
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 70475ad..013a497 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int,
static int _get_params(gs_param_list *);
static int opvp_get_params(gx_device *, gs_param_list *);
static int oprp_get_params(gx_device *, gs_param_list *);
-static int _put_params(gs_param_list *);
+static int _put_params(gx_device *, gs_param_list *);
static int opvp_put_params(gx_device *, gs_param_list *);
static int oprp_put_params(gx_device *, gs_param_list *);
static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist)
/* vector driver name */
pname = "Driver";
vdps.data = (byte *)vectorDriver;
- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
vdps.persistent = false;
code = param_write_string(plist, pname, &vdps);
if (code) ecode = code;
@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
* put params
*/
static int
-_put_params(gs_param_list *plist)
+_put_params(gx_device *dev, gs_param_list *plist)
{
int code;
int ecode = 0;
@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (gs_is_path_control_active(dev->memory)
+ && (!vectorDriver || strlen(vectorDriver) != vdps.size
+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;
@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */

37
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.52
Release: 20
Release: 15
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -59,11 +59,6 @@ Patch40: fix-CVE-2024-29510.patch
Patch41: fix-CVE-2024-33869.patch
Patch42: fix-CVE-2024-33870.patch
Patch43: backport-CVE-2024-29508.patch
Patch44: fix-CVE-2024-33871.patch
Patch45: backport-CVE-2024-46953.patch
Patch46: backport-CVE-2024-46956.patch
Patch47: backport-CVE-2024-46955.patch
Patch48: backport-CVE-2024-46951.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -224,36 +219,6 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Fri Nov 01 2024 liningjie <liningjie@xfusion.com> - 9.52-20
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46951
* Wed Oct 30 2024 liningjie <liningjie@xfusion.com> - 9.52-19
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46955
* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.52-18
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46956
* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.52-17
- Type:CVE
- ID:NA
- SUG:NA
- DECS: Fix CVE-2024-46953
* Tue Sep 24 2024 dillon chen <dillon.chen@gmail.com> - 9.52-16
- Type:CVE
- ID:NA
- SUG:NA
- DECS: fix CVE-2024-33871
* Fri Aug 16 2024 zhangxianting <zhangxianting@uniontech.com> - 9.52-15
- Type:CVE
- ID:NA