packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!35 cve 28879 36664 38559

Browse Source 
From: @dillon_chen 
Reviewed-by: @overweight 
Signed-off-by: @overweight
This commit is contained in:
openeuler-ci-bot 2023-08-03 11:25:16 +00:00 committed by Gitee
commit d306a39fbd
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 178 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CVE-2023-28879.patch Normal file
View File

@ -0,0 +1,17 @@
--- base/sbcp.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ base/sbcp.c 2023-04-03 12:36:26.024927229 +0200
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;

116
CVE-2023-36664.patch Normal file
View File

@ -0,0 +1,116 @@
--- base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
--- base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
-
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
+
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
-
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {

11
CVE-2023-38559.patch Normal file
View File

@ -0,0 +1,11 @@
--- base/gdevdevn.c.orig 2022-04-04 15:48:49.000000000 +0200
+++ base/gdevdevn.c 2023-07-26 11:31:03.873226054 +0200
@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
gp_fputc(0xc1, file);
} else {

35
ghostscript.spec
View File

@ -17,6 +17,29 @@ Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# https://bugs.ghostscript.com/show_bug.cgi?id=706494
# fix CVE-2023-28879 Buffer Overflow in s_xBCPE_process
Patch101: CVE-2023-28879.patch
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c and
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
# fix see https://bugs.ghostscript.com/show_bug.cgi?id=706761
# "OS command injection in %pipe% access"
# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
# "%pipe% allowed_path bypass"
Patch102: CVE-2023-36664.patch
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
# CVE-2023-38559.patch fix
# "out of bounds read devn_pcx_write_rle() could result in DoS"
# and https://bugs.ghostscript.com/show_bug.cgi?id=706897
# which is in base/gdevdevn.c the same issue
# "ordering in if expression to avoid out-of-bounds access"
# as the already fixed CVE-2020-16305 in devices/gdevpcx.c
# see https://bugs.ghostscript.com/show_bug.cgi?id=701819
Patch103: CVE-2023-38559.patch
BuildRequires: automake gcc BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel
@ -82,7 +105,11 @@ This package provides the utility 'dvipdf' for converting of TeX DVI files into
PDF files using Ghostscript and dvips PDF files using Ghostscript and dvips
%prep %prep
%autosetup -n %{name}-%{version} -p1 %setup -q -n %{name}-%{version}
%patch0 -p1
%patch101 -p0
%patch102 -p0
%patch103 -p0
# Libraries that we already have packaged(see Build Requirements): # Libraries that we already have packaged(see Build Requirements):
rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
@ -176,6 +203,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf %{_bindir}/dvipdf
%changelog %changelog
* Wed Aug 2 2023 dillon chen <dillon.chen@gmail.com> - 9.56.1-2
- Type:CVE
- ID:NA
- SUG:NA
- DESC:fix CVE-2023-28879 CVE-2023-36664 CVE-2023-38559
* Mon Jun 20 2022 dillon chen <dillon.chen@gmail.com> - 9.56.1-1 * Mon Jun 20 2022 dillon chen <dillon.chen@gmail.com> - 9.56.1-1
- update vserion to 9.56.1 - update vserion to 9.56.1