Fix CVE-2024-29511

(cherry picked from commit 4843a060331367cf1583665d1035f6b0f38e777d)

Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch

@@ -1,8 +1,9 @@
 From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Wed, 24 Jan 2024 18:25:12 +0000
-Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related 
+Subject: [PATCH 3/7] Bug 707510(3): Bounds checks when using CIDFont related 
  params
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514
 
 Specifically, for CIDFont substitution.
 ---

Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch

@@ -0,0 +1,215 @@
+From 638159c43dbb48425a187d244ec288d252d0ecf4 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 31 Jan 2024 14:08:18 +0000
+Subject: [PATCH 6/7] Bug 707510(5)2: The original fix was overly aggressive
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=638159c43dbb48425a187d244ec288d252d0ecf4
+
+The way the default OCRLanguage value was set was for the relevant get_params
+methods to check if the value had been set, and if not return a default value.
+This could result in the first time the put_params seeing that value being after
+path control has been enabled, meaning it would throw an invalidaccess error.
+
+This changes how we set the default: they now uses an init_device method, so
+the string is populated from the device's creation. This works correctly for
+both the default value, and for values set on the command line.
+---
+ devices/gdevocr.c         | 17 ++++++++++++++++-
+ devices/gdevpdfocr.c      | 28 ++++++++++++++++++++++------
+ devices/vector/gdevpdf.c  | 15 +++++++++++++++
+ devices/vector/gdevpdfp.c |  3 ++-
+ 4 files changed, 55 insertions(+), 8 deletions(-)
+
+diff --git a/devices/gdevocr.c b/devices/gdevocr.c
+index 7f2c6ea3b..b874525de 100644
+--- a/devices/gdevocr.c
++++ b/devices/gdevocr.c
+@@ -30,6 +30,7 @@
+ #define X_DPI 72
+ #define Y_DPI 72
+ 
++static dev_proc_initialize_device(ocr_initialize_device);
+ static dev_proc_print_page(ocr_print_page);
+ static dev_proc_print_page(hocr_print_page);
+ static dev_proc_get_params(ocr_get_params);
+@@ -55,6 +56,7 @@ ocr_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_gray_bg(dev);
+ 
++    set_dev_proc(dev, initialize_device, ocr_initialize_device);
+     set_dev_proc(dev, open_device, ocr_open);
+     set_dev_proc(dev, close_device, ocr_close);
+     set_dev_proc(dev, get_params, ocr_get_params);
+@@ -79,6 +81,7 @@ hocr_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_gray_bg(dev);
+ 
++    set_dev_proc(dev, initialize_device, ocr_initialize_device);
+     set_dev_proc(dev, open_device, ocr_open);
+     set_dev_proc(dev, close_device, hocr_close);
+     set_dev_proc(dev, get_params, ocr_get_params);
+@@ -102,6 +105,17 @@ const gx_device_ocr gs_hocr_device =
+ #define HOCR_HEADER "<html>\n <body>\n"
+ #define HOCR_TRAILER " </body>\n</html>\n"
+ 
++static int
++ocr_initialize_device(gx_device *dev)
++{
++    gx_device_ocr *odev = (gx_device_ocr *)dev;
++    const char *default_ocr_lang = "eng";
++
++    odev->language[0] = '\0';
++    strcpy(odev->language, default_ocr_lang);
++    return 0;
++}
++
+ static int
+ ocr_open(gx_device *pdev)
+ {
+@@ -185,7 +199,8 @@ ocr_put_params(gx_device *dev, gs_param_list *plist)
+ 
+     switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
+         case 0:
+-            if (pdev->memory->gs_lib_ctx->core->path_control_active) {
++                if (pdev->memory->gs_lib_ctx->core->path_control_active
++                && (strlen(pdev->language) != langstr.size || memcmp(pdev->language, langstr.data, langstr.size) != 0)) {
+                 return_error(gs_error_invalidaccess);
+             }
+             else {
+diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
+index 0d3c42d8b..f2bec1b49 100644
+--- a/devices/gdevpdfocr.c
++++ b/devices/gdevpdfocr.c
+@@ -33,9 +33,9 @@
+ #include "gdevpdfimg.h"
+ #include "tessocr.h"
+ 
+-int pdf_ocr_open(gx_device *pdev);
+-int pdf_ocr_close(gx_device *pdev);
+-
++static dev_proc_initialize_device(pdf_ocr_initialize_device);
++static dev_proc_open_device(pdf_ocr_open);
++static dev_proc_close_device(pdf_ocr_close);
+ 
+ static int
+ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist)
+@@ -50,7 +50,8 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist)
+ 
+     switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
+         case 0:
+-            if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) {
++                if (pdf_dev->memory->gs_lib_ctx->core->path_control_active
++                && (strlen(pdf_dev->ocr.language) != langstr.size || memcmp(pdf_dev->ocr.language, langstr.data, langstr.size) != 0)) {
+                 return_error(gs_error_invalidaccess);
+             }
+             else {
+@@ -152,6 +153,8 @@ pdfocr8_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_gray(dev);
+ 
++    set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
++    set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
+     set_dev_proc(dev, open_device, pdf_ocr_open);
+     set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
+     set_dev_proc(dev, close_device, pdf_ocr_close);
+@@ -185,6 +188,7 @@ pdfocr24_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_rgb(dev);
+ 
++    set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
+     set_dev_proc(dev, open_device, pdf_ocr_open);
+     set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
+     set_dev_proc(dev, close_device, pdf_ocr_close);
+@@ -216,6 +220,7 @@ pdfocr32_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_cmyk8(dev);
+ 
++    set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
+     set_dev_proc(dev, open_device, pdf_ocr_open);
+     set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
+     set_dev_proc(dev, close_device, pdf_ocr_close);
+@@ -703,7 +708,18 @@ ocr_end_page(gx_device_pdf_image *dev)
+     return 0;
+ }
+ 
+-int
++static int
++pdf_ocr_initialize_device(gx_device *dev)
++{
++    gx_device_pdf_image *ppdev = (gx_device_pdf_image *)dev;
++    const char *default_ocr_lang = "eng";
++
++    ppdev->ocr.language[0] = '\0';
++    strcpy(ppdev->ocr.language, default_ocr_lang);
++    return 0;
++}
++
++static int
+ pdf_ocr_open(gx_device *pdev)
+ {
+     gx_device_pdf_image *ppdev;
+@@ -726,7 +742,7 @@ pdf_ocr_open(gx_device *pdev)
+     return 0;
+ }
+ 
+-int
++static int
+ pdf_ocr_close(gx_device *pdev)
+ {
+     gx_device_pdf_image *pdf_dev;
+diff --git a/devices/vector/gdevpdf.c b/devices/vector/gdevpdf.c
+index 6e364d1c7..042e1b4e9 100644
+--- a/devices/vector/gdevpdf.c
++++ b/devices/vector/gdevpdf.c
+@@ -215,6 +215,7 @@ device_pdfwrite_finalize(const gs_memory_t *cmem, void *vpdev)
+ }
+ 
+ /* Driver procedures */
++static dev_proc_initialize_device(pdfwrite_initialize_device);
+ static dev_proc_open_device(pdf_open);
+ static dev_proc_output_page(pdf_output_page);
+ static dev_proc_close_device(pdf_close);
+@@ -232,6 +233,7 @@ static dev_proc_close_device(pdf_close);
+ static void
+ pdfwrite_initialize_device_procs(gx_device *dev)
+ {
++    set_dev_proc(dev, initialize_device, pdfwrite_initialize_device);
+     set_dev_proc(dev, open_device, pdf_open);
+     set_dev_proc(dev, get_initial_matrix, gx_upright_get_initial_matrix);
+     set_dev_proc(dev, output_page, pdf_output_page);
+@@ -777,6 +779,19 @@ pdf_reset_text(gx_device_pdf * pdev)
+     pdf_reset_text_state(pdev->text);
+ }
+ 
++static int
++pdfwrite_initialize_device(gx_device *dev)
++{
++#if OCR_VERSION > 0
++    gx_device_pdf *pdev = (gx_device_pdf *) dev;
++    const char *default_ocr_lang = "eng";
++    pdev->ocr_language[0] = '\0';
++    strcpy(pdev->ocr_language, default_ocr_lang);
++#endif
++    return 0;
++}
++
++
+ /* Open the device. */
+ static int
+ pdf_open(gx_device * dev)
+diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
+index 1f7106c0b..1fdfeaef3 100644
+--- a/devices/vector/gdevpdfp.c
++++ b/devices/vector/gdevpdfp.c
+@@ -472,7 +472,8 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
+         gs_param_string langstr;
+         switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
+             case 0:
+-                if (pdev->memory->gs_lib_ctx->core->path_control_active) {
++                if (pdev->memory->gs_lib_ctx->core->path_control_active
++                && (strlen(pdev->ocr_language) != langstr.size || memcmp(pdev->ocr_language, langstr.data, langstr.size) != 0)) {
+                     return_error(gs_error_invalidaccess);
+                 }
+                 else {
+-- 
+2.34.1
+

Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch

@@ -1,8 +1,9 @@
 From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Wed, 24 Jan 2024 17:06:01 +0000
-Subject: [PATCH 5/6] Bug 707510(5): Reject OCRLanguage changes after SAFER
+Subject: [PATCH 5/7] Bug 707510(5): Reject OCRLanguage changes after SAFER
  enabled
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3d4cfdc1a44
 
 In the devices that support OCR, OCRLanguage really ought never to be set from
 PostScript, so reject attempts to change it if path_control_active is true.

Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch

@@ -1,8 +1,9 @@
 From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Thu, 25 Jan 2024 11:55:49 +0000
-Subject: [PATCH 2/6] Bug 707510 - don't allow PDF files with bad Filters to 
+Subject: [PATCH 2/7] Bug 707510 - don't allow PDF files with bad Filters to 
  overflow the debug buffer
+http://www.ghostscript.com/cgi-bin/findgit.cgi?77dc7f699beba606937b7ea23b50cf5974fa64b1
 
 Item #2 of the report.
 

Bug-707510-don-t-use-strlen-on-passwords.patch

@@ -1,7 +1,8 @@
 From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Thu, 25 Jan 2024 11:58:22 +0000
-Subject: [PATCH 1/6] Bug 707510 - don't use strlen on passwords
+Subject: [PATCH 1/7] Bug 707510 - don't use strlen on passwords
+http://www.ghostscript.com/cgi-bin/findgit.cgi?917b3a71fb20748965254631199ad98210d6c2fb
 
 Item #1 of the report. This looks like an oversight when first coding
 the routine. We should use the PostScript string length, because

Bug-707510-fix-LIBIDN-usage.patch

@@ -1,7 +1,8 @@
 From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Thu, 25 Jan 2024 12:16:56 +0000
-Subject: [PATCH 6/6] Bug 707510 - fix LIBIDN usage
+Subject: [PATCH 7/7] Bug 707510 - fix LIBIDN usage
+http://www.ghostscript.com/cgi-bin/findgit.cgi?d99396635f3d6ac6a1168e1af21a669e5c8f695f
 
 This wasn't a reported fault, but it bears fixing anyway.
 

Bug-707510-review-printing-of-pointers.patch

@@ -1,7 +1,8 @@
 From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Thu, 25 Jan 2024 11:53:44 +0000
-Subject: [PATCH 4/6] Bug 707510 - review printing of pointers
+Subject: [PATCH 4/7] Bug 707510 - review printing of pointers
+http://www.ghostscript.com/cgi-bin/findgit.cgi?ff1013a0ab485b66783b70145e342a82c670906a
 
 This is for item 4 of the report, which is addressed by the change in
 gdevpdtb.c. That change uses a fixed name for fonts which have no name

ghostscript.spec

@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.56.1
-Release:          7
+Release:          8
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -47,16 +47,23 @@ Patch108:  fix-CVE-2024-33870.patch
 Patch109:  fix-CVE-2024-33871.patch
 # https://bugs.ghostscript.com/show_bug.cgi?id=707510
 # CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511
+# CVE-2024-29509
 Patch110:  Bug-707510-don-t-use-strlen-on-passwords.patch
+# CVE-2024-29506
 Patch111:  Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
+# CVE-2024-29507
 Patch112:  Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
+# CVE-2024-29508
 Patch113:  Bug-707510-review-printing-of-pointers.patch
+# CVE-2024-29511
 Patch114:  Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
-Patch115:  Bug-707510-fix-LIBIDN-usage.patch
+Patch115:  Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch
+
+Patch116:  Bug-707510-fix-LIBIDN-usage.patch
 
 # See bug thread for details
 #This is the second part of the fix for CVE-2024-33869
-Patch116:  fix-CVE-2024-33869-second.patch
+Patch117:  fix-CVE-2024-33869-second.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -141,6 +148,7 @@ PDF files using Ghostscript and dvips
 %patch114 -p1
 %patch115 -p1
 %patch116 -p1
+%patch117 -p1
 
 
 # Libraries that we already have packaged(see Build Requirements):
@@ -235,6 +243,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
+* Fri Jul 12 2024 zhangxianting <zhangxianting@uniontech.com> - 9.56.1-8
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: This is the second part of the fix for CVE-2024-29511
+
 * Fri Jul 12 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 9.56.1-7
 - Type:CVE
 - ID:NA