import UBI ghostscript-9.54.0-14.el9_3

SOURCES/ghostscript-9.54.0-CVE-2023-28879.patch

@@ -0,0 +1,44 @@
+From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Fri, 24 Mar 2023 13:19:57 +0000
+Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
+
+Bug #706494 "Buffer Overflow in s_xBCPE_process"
+
+As described in detail in the bug report, if the write buffer is filled
+to one byte less than full, and we then try to write an escaped
+character, we overrun the buffer because we don't check before
+writing two bytes to it.
+
+This just checks if we have two bytes before starting to write an
+escaped character and exits if we don't (replacing the consumed byte
+of the input).
+
+Up for further discussion; why do we even permit a BCP encoding filter
+anyway ? I think we should remove this, at least when SAFER is true.
+---
+ base/sbcp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/base/sbcp.c b/base/sbcp.c
+index 979ae0992..47fc233ec 100644
+--- a/base/sbcp.c
++++ b/base/sbcp.c
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
+         byte ch = *++p;
+ 
+         if (ch <= 31 && escaped[ch]) {
++            /* Make sure we have space to store two characters in the write buffer,
++             * if we don't then exit without consuming the input character, we'll process
++             * that on the next time round.
++             */
++            if (pw->limit - q < 2) {
++                p--;
++                break;
++            }
+             if (p == rlimit) {
+                 p--;
+                 break;
+-- 
+2.39.2
+

SOURCES/ghostscript-9.54.0-CVE-2023-38559.patch

@@ -0,0 +1,27 @@
+From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
+ devices/gdevpcx.c
+
+Bounds check the buffer, before dereferencing the pointer.
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index 7b14d9c71..6351fb77a 100644
+--- a/base/gdevdevn.c
++++ b/base/gdevdevn.c
+@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
+         byte data = *from;
+ 
+         from += step;
+-        if (data != *from || from == end) {
++        if (from >= end || data != *from) {
+             if (data >= 0xc0)
+                 gp_fputc(0xc1, file);
+         } else {
+-- 
+2.41.0
+

SOURCES/ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch

@@ -0,0 +1,106 @@
+From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 15 Mar 2023 15:38:29 +0000
+Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling
+
+The PS interpreter callback that handles converting a CID to a TTF GID did
+not handle the case of substituted CIDFonts.
+
+It requires looking up the CID on the Decoding (to get a Unicode code point),
+and then looking up the code point in the TTF cmap table to get the GID.
+
+The rendering code already handled it.
+---
+ psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 46 insertions(+), 27 deletions(-)
+
+diff --git a/psi/zfcid1.c b/psi/zfcid1.c
+index fd502ff12..55de85d45 100644
+--- a/psi/zfcid1.c
++++ b/psi/zfcid1.c
+@@ -77,37 +77,56 @@
+     int gdbytes = pfont->cidata.common.GDBytes;
+     int gnum = 0;
+     const byte *data;
+-    int i, code;
++    int i, code = -1;
+     ref rcid;
+     ref *prgnum;
++    ref *p, *fdict = pfont_dict(pfont);
++
++    if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) {
++        ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type;
++        uint c;
++
++        code = dict_find_string(fdict, "Decoding", &Decoding);
++        if (code > 0)
++            code = dict_find_string(fdict, "TT_cmap", &TT_cmap);
++        if (code > 0)
++            code = dict_find_string(fdict, "SubstNWP", &SubstNWP);
++        if (code > 0) {
++            code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type);
++            if (code >= 0)
++                gnum = c;
++        }
++    }
+ 
+-    switch (r_type(pcidmap)) {
+-    case t_string:
+-        if (cid >= r_size(pcidmap) / gdbytes)
+-            return_error(gs_error_rangecheck);
+-        data = pcidmap->value.const_bytes + cid * gdbytes;
+-        break;
+-    case t_integer:
+-        return cid + pcidmap->value.intval;
+-    case t_dictionary:
+-        make_int(&rcid, cid);
+-        code = dict_find(pcidmap, &rcid, &prgnum);
+-        if (code <= 0)
+-            return (code < 0 ? code : gs_note_error(gs_error_undefined));
+-        if (!r_has_type(prgnum, t_integer))
+-            return_error(gs_error_typecheck);
+-        return prgnum->value.intval;
+-    default:			/* array type */
+-        code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
+-                                        gdbytes, NULL, NULL, &data);
++    if (code < 0) {
++        switch (r_type(pcidmap)) {
++        case t_string:
++            if (cid >= r_size(pcidmap) / gdbytes)
++                return_error(gs_error_rangecheck);
++            data = pcidmap->value.const_bytes + cid * gdbytes;
++            break;
++        case t_integer:
++            return cid + pcidmap->value.intval;
++        case t_dictionary:
++            make_int(&rcid, cid);
++            code = dict_find(pcidmap, &rcid, &prgnum);
++            if (code <= 0)
++                return (code < 0 ? code : gs_note_error(gs_error_undefined));
++            if (!r_has_type(prgnum, t_integer))
++                return_error(gs_error_typecheck);
++            return prgnum->value.intval;
++        default:			/* array type */
++            code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
++                                            gdbytes, NULL, NULL, &data);
+ 
+-        if (code < 0)
+-            return code;
+-        if ( code > 0 )
+-            return_error(gs_error_invalidfont);
++            if (code < 0)
++                return code;
++            if ( code > 0 )
++                return_error(gs_error_invalidfont);
++        }
++        for (i = 0; i < gdbytes; ++i)
++            gnum = (gnum << 8) + data[i];
+     }
+-    for (i = 0; i < gdbytes; ++i)
+-        gnum = (gnum << 8) + data[i];
+     if (gnum >= pfont->data.trueNumGlyphs)
+         return_error(gs_error_invalidfont);
+     return gnum;
+-- 
+2.39.2
+

SPECS/ghostscript.spec

@@ -42,7 +42,7 @@
 Name:             ghostscript
 Summary:          Interpreter for PostScript language & PDF
 Version:          9.54.0
-Release:          11%{?dist}
+Release:          14%{?dist}
 
 License:          AGPLv3+
 
@@ -108,8 +108,11 @@ Patch003: ghostscript-9.54.0-covscan-fixes.patch
 Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
 Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
 Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
-Patch007: ghostscript-9.54.0-CVE-2023-36664.patch
+Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
-Patch008: ghostscript-9.54.0-CVE-2023-43115.patch
+Patch008: ghostscript-9.54.0-CVE-2023-28879.patch
+Patch009: ghostscript-9.54.0-CVE-2023-36664.patch
+Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
+Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -443,13 +446,25 @@ done
 # =============================================================================
 
 %changelog
-* Thu Oct 12 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
+* Thu Oct 12 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-14
 - fix for CVE-2023-43115
-- Resolves: RHEL-10183
+- Resolves: RHEL-10184
 
-* Mon Jul 03 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
+* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-13
+- fix for CVE-2023-38559
+- Resolves: rhbz#2224372
+
+* Tue Aug 01 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-12
 - fix for CVE-2023-36664
-- Resolves: rhbz#2217809
+- Resolves: rhbz#2217810
+
+* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
+- fix for CVE-2023-28879
+- Resolves: rhbz#2188300
+
+* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
+- fix embedding of CIDFonts
+- Resolves: rhbz#2179023
 
 * Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-9
 - set the page size for A4 correctly in ESC/Page driver