CVE 28879 36664 38559

2023-08-02 17:54:54 +08:00 · 2023-08-02 17:54:54 +08:00 · 8e08a7a984
commit 8e08a7a984
parent 24e46dd85d
4 changed files with 178 additions and 1 deletions
--- a/CVE-2023-28879.patch
+++ b/CVE-2023-28879.patch
@ -0,0 +1,17 @@
+--- base/sbcp.c.orig	2020-03-19 09:21:42.000000000 +0100
+++ base/sbcp.c	2023-04-03 12:36:26.024927229 +0200
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea
+         byte ch = *++p;
+ 
+         if (ch <= 31 && escaped[ch]) {
+            /* Make sure we have space to store two characters in the write buffer,
+             * if we don't then exit without consuming the input character, we'll process
+             * that on the next time round.
+             */
+            if (pw->limit - q < 2) {
+                p--;
+                break;
+            }
+             if (p == rlimit) {
+                 p--;
+                 break;
--- a/CVE-2023-36664.patch
+++ b/CVE-2023-36664.patch
@ -0,0 +1,116 @@
+--- base/gpmisc.c.orig	2022-04-04 15:48:49.000000000 +0200
+++ base/gpmisc.c	2023-07-04 08:13:02.173325373 +0200
+@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *
+              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+           prefix_len = 0;
+     }
+-    rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+-    if (bufferfull == NULL)
+-        return gs_error_VMerror;
+ 
+-    buffer = bufferfull + prefix_len;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len+1;
+        bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+        if (bufferfull == NULL)
+            return gs_error_VMerror;
+ 
+        buffer = bufferfull + prefix_len;
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+     while (1) {
+         switch (mode[0])
+         {
+--- base/gslibctx.c.orig	2022-04-04 15:48:49.000000000 +0200
+++ base/gslibctx.c	2023-07-04 08:09:47.834639430 +0200
+@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+-
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len + 1;
+
+        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++)
+@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+-
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len+1;
+
+        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++) {
--- a/CVE-2023-38559.patch
+++ b/CVE-2023-38559.patch
@ -0,0 +1,11 @@
+--- base/gdevdevn.c.orig	2022-04-04 15:48:49.000000000 +0200
+++ base/gdevdevn.c	2023-07-26 11:31:03.873226054 +0200
+@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co
+         byte data = *from;
+ 
+         from += step;
+-        if (data != *from || from == end) {
+        if (from >= end || data != *from) {
+             if (data >= 0xc0)
+                 gp_fputc(0xc1, file);
+         } else {
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -17,6 +17,29 @@ Source0:          https://github.com/ArtifexSoftware/ghostpdl-downloads/releases

 Patch0:  ghostscript-9.23-100-run-dvipdf-securely.patch

+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
+# https://bugs.ghostscript.com/show_bug.cgi?id=706494
+# fix CVE-2023-28879 Buffer Overflow in s_xBCPE_process
+Patch101:  CVE-2023-28879.patch
+
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c and
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
+# fix see https://bugs.ghostscript.com/show_bug.cgi?id=706761
+# "OS command injection in %pipe% access"
+# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
+# "%pipe% allowed_path bypass"
+Patch102:  CVE-2023-36664.patch
+
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
+# CVE-2023-38559.patch fix
+# "out of bounds read devn_pcx_write_rle() could result in DoS"
+# and https://bugs.ghostscript.com/show_bug.cgi?id=706897
+# which is in base/gdevdevn.c the same issue
+# "ordering in if expression to avoid out-of-bounds access"
+# as the already fixed CVE-2020-16305 in devices/gdevpcx.c
+# see https://bugs.ghostscript.com/show_bug.cgi?id=701819
+Patch103:  CVE-2023-38559.patch
+
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
 BuildRequires:    google-droid-sans-fonts urw-base35-fonts-devel
@ -82,7 +105,11 @@ This package provides the utility 'dvipdf' for converting of TeX DVI files into
 PDF files using Ghostscript and dvips

 %prep
-%autosetup -n %{name}-%{version} -p1
+%setup -q -n %{name}-%{version}
+%patch0 -p1
+%patch101 -p0
+%patch102 -p0
+%patch103 -p0

 # Libraries that we already have packaged(see Build Requirements):
 rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
@ -176,6 +203,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf

 %changelog
+* Wed Aug  2 2023 dillon chen <dillon.chen@gmail.com> - 9.56.1-2
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2023-28879 CVE-2023-36664 CVE-2023-38559
+
 * Mon Jun 20 2022 dillon chen <dillon.chen@gmail.com> - 9.56.1-1
 - update vserion to 9.56.1