rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI ghostscript-9.54.0-14.el9_3

Browse Source
This commit is contained in:
eabdullin 2023-11-07 12:17:30 +00:00
parent 90512d8f1e
commit 066c4b3cf8
4 changed files with 199 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
SOURCES/ghostscript-9.54.0-CVE-2023-28879.patch Normal file
View File

@ -0,0 +1,44 @@
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Mar 2023 13:19:57 +0000
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
Bug #706494 "Buffer Overflow in s_xBCPE_process"
As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.
This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).
Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
base/sbcp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/base/sbcp.c b/base/sbcp.c
index 979ae0992..47fc233ec 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;
--
2.39.2

27
SOURCES/ghostscript-9.54.0-CVE-2023-38559.patch Normal file
View File

@ -0,0 +1,27 @@
From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 17 Jul 2023 14:06:37 +0100
Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
devices/gdevpcx.c
Bounds check the buffer, before dereferencing the pointer.
---
base/gdevdevn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/gdevdevn.c b/base/gdevdevn.c
index 7b14d9c71..6351fb77a 100644
--- a/base/gdevdevn.c
+++ b/base/gdevdevn.c
@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
gp_fputc(0xc1, file);
} else {
--
2.41.0

106
SOURCES/ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch Normal file
View File

@ -0,0 +1,106 @@
From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 15 Mar 2023 15:38:29 +0000
Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling
The PS interpreter callback that handles converting a CID to a TTF GID did
not handle the case of substituted CIDFonts.
It requires looking up the CID on the Decoding (to get a Unicode code point),
and then looking up the code point in the TTF cmap table to get the GID.
The rendering code already handled it.
---
psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++-------------------
1 file changed, 46 insertions(+), 27 deletions(-)
diff --git a/psi/zfcid1.c b/psi/zfcid1.c
index fd502ff12..55de85d45 100644
--- a/psi/zfcid1.c
+++ b/psi/zfcid1.c
@@ -77,37 +77,56 @@
int gdbytes = pfont->cidata.common.GDBytes;
int gnum = 0;
const byte *data;
- int i, code;
+ int i, code = -1;
ref rcid;
ref *prgnum;
+ ref *p, *fdict = pfont_dict(pfont);
+
+ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) {
+ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type;
+ uint c;
+
+ code = dict_find_string(fdict, "Decoding", &Decoding);
+ if (code > 0)
+ code = dict_find_string(fdict, "TT_cmap", &TT_cmap);
+ if (code > 0)
+ code = dict_find_string(fdict, "SubstNWP", &SubstNWP);
+ if (code > 0) {
+ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type);
+ if (code >= 0)
+ gnum = c;
+ }
+ }
- switch (r_type(pcidmap)) {
- case t_string:
- if (cid >= r_size(pcidmap) / gdbytes)
- return_error(gs_error_rangecheck);
- data = pcidmap->value.const_bytes + cid * gdbytes;
- break;
- case t_integer:
- return cid + pcidmap->value.intval;
- case t_dictionary:
- make_int(&rcid, cid);
- code = dict_find(pcidmap, &rcid, &prgnum);
- if (code <= 0)
- return (code < 0 ? code : gs_note_error(gs_error_undefined));
- if (!r_has_type(prgnum, t_integer))
- return_error(gs_error_typecheck);
- return prgnum->value.intval;
- default: /* array type */
- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
- gdbytes, NULL, NULL, &data);
+ if (code < 0) {
+ switch (r_type(pcidmap)) {
+ case t_string:
+ if (cid >= r_size(pcidmap) / gdbytes)
+ return_error(gs_error_rangecheck);
+ data = pcidmap->value.const_bytes + cid * gdbytes;
+ break;
+ case t_integer:
+ return cid + pcidmap->value.intval;
+ case t_dictionary:
+ make_int(&rcid, cid);
+ code = dict_find(pcidmap, &rcid, &prgnum);
+ if (code <= 0)
+ return (code < 0 ? code : gs_note_error(gs_error_undefined));
+ if (!r_has_type(prgnum, t_integer))
+ return_error(gs_error_typecheck);
+ return prgnum->value.intval;
+ default: /* array type */
+ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
+ gdbytes, NULL, NULL, &data);
- if (code < 0)
- return code;
- if ( code > 0 )
- return_error(gs_error_invalidfont);
+ if (code < 0)
+ return code;
+ if ( code > 0 )
+ return_error(gs_error_invalidfont);
+ }
+ for (i = 0; i < gdbytes; ++i)
+ gnum = (gnum << 8) + data[i];
}
- for (i = 0; i < gdbytes; ++i)
- gnum = (gnum << 8) + data[i];
if (gnum >= pfont->data.trueNumGlyphs)
return_error(gs_error_invalidfont);
return gnum;
--
2.39.2

29
SPECS/ghostscript.spec
View File

@ -42,7 +42,7 @@
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 9.54.0
Release: 11%{?dist}
Release: 14%{?dist}
License: AGPLv3+
@ -108,8 +108,11 @@ Patch003: ghostscript-9.54.0-covscan-fixes.patch
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
Patch007: ghostscript-9.54.0-CVE-2023-36664.patch
Patch008: ghostscript-9.54.0-CVE-2023-43115.patch
Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch008: ghostscript-9.54.0-CVE-2023-28879.patch
Patch009: ghostscript-9.54.0-CVE-2023-36664.patch
Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
@ -443,13 +446,25 @@ done
# =============================================================================
%changelog
* Thu Oct 12 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
* Thu Oct 12 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-14
- fix for CVE-2023-43115
- Resolves: RHEL-10183
- Resolves: RHEL-10184
* Mon Jul 03 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-13
- fix for CVE-2023-38559
- Resolves: rhbz#2224372
* Tue Aug 01 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-12
- fix for CVE-2023-36664
- Resolves: rhbz#2217809
- Resolves: rhbz#2217810
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
- fix for CVE-2023-28879
- Resolves: rhbz#2188300
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
- fix embedding of CIDFonts
- Resolves: rhbz#2179023
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-9
- set the page size for A4 correctly in ESC/Page driver