From 0b6d25ee22811d85b7b6122390eff4309e7d763e Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Tue, 16 Jul 2024 18:19:08 +0200 Subject: [PATCH] RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters Resolves: RHEL-46112 --- ...nds-checks-when-using-CIDFont-relate.patch | 76 +++++++++++++++++++ ghostscript.spec | 3 + 2 files changed, 79 insertions(+) create mode 100644 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch diff --git a/0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch b/0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch new file mode 100644 index 0000000..f8df7d9 --- /dev/null +++ b/0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch @@ -0,0 +1,76 @@ +diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c +index 5f82b7f..6819cb7 100644 +--- a/pdf/pdf_font.c ++++ b/pdf/pdf_font.c +@@ -297,22 +297,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context *ctx, pdf_dict *font_dict, pdf_dic + memcpy(fontfname, fsprefix, fsprefixlen); + } + else { +- memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size); +- fsprefixlen = ctx->args.cidfsubstpath.size; ++ if (ctx->args.cidfsubstpath.size + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstPath parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname, fsprefix, fsprefixlen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size); ++ fsprefixlen = ctx->args.cidfsubstpath.size; ++ } + } + + if (ctx->args.cidfsubstfont.data == NULL) { + int len = 0; +- if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) { +- (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0) { ++ if (len + fsprefixlen + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSUBSTFONT environment variable too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ } + } + else { + memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); + } + } + else { +- memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size); +- defcidfallacklen = ctx->args.cidfsubstfont.size; ++ if (ctx->args.cidfsubstfont.size > gp_file_name_sizeof - 1) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstFont parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size); ++ defcidfallacklen = ctx->args.cidfsubstfont.size; ++ } + } + fontfname[fsprefixlen + defcidfallacklen] = '\0'; + +diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h +index 6402d8f..d1e0019 100644 +--- a/pdf/pdf_warnings.h ++++ b/pdf/pdf_warnings.h +@@ -97,4 +97,5 @@ PARAM(W_PDF_MISMATCH_GENERATION, "The generation number of an indirectly refe + PARAM(W_PDF_BAD_RENDERINGINTENT, "A ri or /RI used an unknown named rendering intent"), + PARAM(W_PDF_BAD_VIEW, "Couldn't read the initial document view"), + PARAM(W_PDF_BAD_WMODE, "A Font or CMap has a WMode which is neither 0 (horizontal) nor 1 (vertical)"), ++PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."), + #undef PARAM diff --git a/ghostscript.spec b/ghostscript.spec index 5df48b0..e0f13b9 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -121,6 +121,8 @@ Patch: 0001-Bug-707686.patch Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch # RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc() Patch: 0001-Bug-707510-review-printing-of-pointers.patch +# RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters +Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -440,6 +442,7 @@ done * Tue Jul 16 2024 Zdenek Dohnal - 10.02.1-12 - RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter - RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc() +- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters * Thu Jul 11 2024 Zdenek Dohnal - 10.02.1-12 - RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths