diff --git a/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch b/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch new file mode 100644 index 0000000..cb08b28 --- /dev/null +++ b/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch @@ -0,0 +1,63 @@ +From 282f691f5e57b6bf55ba51ad8c2be2cce8edb938 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Tue, 18 Jun 2024 18:22:55 +0100 +Subject: [PATCH] Bug 707788: Fix decode_utf8 to forbid overlong encodings. + +These can be used by malicious code to escape directories. + +CVE-2024-46954 +--- + base/gp_utf8.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/base/gp_utf8.c b/base/gp_utf8.c +index c33fc3550..b78977e37 100644 +--- a/base/gp_utf8.c ++++ b/base/gp_utf8.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -25,12 +25,16 @@ decode_utf8(const char **inp, unsigned int i) + if (i < 0x80) { + } else if ((i & 0xE0) == 0xC0) { + i &= 0x1F; ++ if (i == 0) ++ goto fail_overlong; + c = (unsigned char)*in++; + if ((c & 0xC0) != 0x80) + goto fail; + i = (i<<6) | (c & 0x3f); + } else if ((i & 0xF0) == 0xE0) { + i &= 0xF; ++ if (i == 0) ++ goto fail_overlong; + c = (unsigned char)*in++; + if ((c & 0xC0) != 0x80) + goto fail; +@@ -41,6 +45,8 @@ decode_utf8(const char **inp, unsigned int i) + i = (i<<6) | (c & 0x3f); + } else if ((i & 0xF8) == 0xF0) { + i &= 0x7; ++ if (i == 0) ++ goto fail_overlong; + c = (unsigned char)*in++; + if ((c & 0xC0) != 0x80) + goto fail; +@@ -59,6 +65,11 @@ decode_utf8(const char **inp, unsigned int i) + /* If we fail, unread the last one, and return the unicode replacement char. */ + fail: + in--; ++fail_overlong: ++ /* If we jump to here it's because we've detected an 'overlong' encoding. ++ * While this seems harmless, it's actually illegal, for good reason; ++ * this is typically an attempt to sneak stuff past security checks, like ++ * "../" in paths. Fail this. */ + i = 0xfffd; + } + *inp = in; +-- +2.49.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 9097b7e..3ddd5df 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -130,9 +130,15 @@ Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch # RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction Patch: 0001-Bug-707691.patch # RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space +# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa7d1 Patch: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch # CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling +# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=b1f0827c30f59a2 Patch: 0001-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch +# RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding +# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=282f691f5e57b6b +Patch: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch + # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -452,6 +458,7 @@ done * Tue Apr 15 2025 Zdenek Dohnal - 10.02.1-15 - RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space - RHEL-67050 CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling +- RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding * Tue Oct 29 2024 Troy Dawson - 10.02.1-14 - Bump release for October 2024 mass rebuild: