39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From 7145885041bb52cc23964f0aa2aec1b1c82b5908 Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
|
Date: Mon, 22 Apr 2024 13:33:47 +0100
|
|
Subject: OPVP device - prevent unsafe parameter change with SAFER
|
|
|
|
Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library"
|
|
|
|
The "Driver" parameter for the "opvp"/"oprp" device specifies the name
|
|
of a dynamic library and allows any library to be loaded.
|
|
|
|
The patch does not allow changing this parameter after activating path
|
|
control.
|
|
|
|
This addresses CVE-2024-33871
|
|
---
|
|
contrib/opvp/gdevopvp.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
|
|
index 5f20cac..327152d 100644
|
|
--- a/contrib/opvp/gdevopvp.c
|
|
+++ b/contrib/opvp/gdevopvp.c
|
|
@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
|
|
code = param_read_string(plist, pname, &vdps);
|
|
switch (code) {
|
|
case 0:
|
|
+ if (gs_is_path_control_active(dev->memory)
|
|
+ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
|
|
+ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
|
|
+ param_signal_error(plist, pname, gs_error_invalidaccess);
|
|
+ return_error(gs_error_invalidaccess);
|
|
+ }
|
|
buff = realloc(buff, vdps.size + 1);
|
|
memcpy(buff, vdps.data, vdps.size);
|
|
buff[vdps.size] = 0;
|
|
--
|
|
2.27.0
|
|
|