RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding

Resolves: RHEL-67050

0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch

@@ -0,0 +1,63 @@
+From 282f691f5e57b6bf55ba51ad8c2be2cce8edb938 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Tue, 18 Jun 2024 18:22:55 +0100
+Subject: [PATCH] Bug 707788: Fix decode_utf8 to forbid overlong encodings.
+
+These can be used by malicious code to escape directories.
+
+CVE-2024-46954
+---
+ base/gp_utf8.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/base/gp_utf8.c b/base/gp_utf8.c
+index c33fc3550..b78977e37 100644
+--- a/base/gp_utf8.c
++++ b/base/gp_utf8.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2023 Artifex Software, Inc.
++/* Copyright (C) 2001-2024 Artifex Software, Inc.
+    All Rights Reserved.
+ 
+    This software is provided AS-IS with no warranty, either express or
+@@ -25,12 +25,16 @@ decode_utf8(const char **inp, unsigned int i)
+     if (i < 0x80) {
+     } else if ((i & 0xE0) == 0xC0) {
+         i &= 0x1F;
++        if (i == 0)
++            goto fail_overlong;
+         c = (unsigned char)*in++;
+         if ((c & 0xC0) != 0x80)
+             goto fail;
+         i = (i<<6) | (c & 0x3f);
+     } else if ((i & 0xF0) == 0xE0) {
+         i &= 0xF;
++        if (i == 0)
++            goto fail_overlong;
+         c = (unsigned char)*in++;
+         if ((c & 0xC0) != 0x80)
+             goto fail;
+@@ -41,6 +45,8 @@ decode_utf8(const char **inp, unsigned int i)
+         i = (i<<6) | (c & 0x3f);
+     } else if ((i & 0xF8) == 0xF0) {
+         i &= 0x7;
++        if (i == 0)
++            goto fail_overlong;
+         c = (unsigned char)*in++;
+         if ((c & 0xC0) != 0x80)
+             goto fail;
+@@ -59,6 +65,11 @@ decode_utf8(const char **inp, unsigned int i)
+         /* If we fail, unread the last one, and return the unicode replacement char. */
+ fail:
+        in--;
++fail_overlong:
++       /* If we jump to here it's because we've detected an 'overlong' encoding.
++        * While this seems harmless, it's actually illegal, for good reason;
++        * this is typically an attempt to sneak stuff past security checks, like
++        * "../" in paths. Fail this. */
+        i = 0xfffd;
+     }
+     *inp = in;
+-- 
+2.49.0
+

ghostscript.spec

@@ -130,9 +130,15 @@ Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch
 # RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
 Patch: 0001-Bug-707691.patch
 # RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa7d1
 Patch: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
 # CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=b1f0827c30f59a2
 Patch: 0001-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch
+# RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=282f691f5e57b6b
+Patch: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch
+
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -452,6 +458,7 @@ done
 * Tue Apr 15 2025 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-15
 - RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
 - RHEL-67050 CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling
+- RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
 
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 10.02.1-14
 - Bump release for October 2024 mass rebuild: