RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter

Resolves: RHEL-46149

0001-Bug-707510-don-t-use-strlen-on-passwords.patch

@@ -0,0 +1,46 @@
+From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 25 Jan 2024 11:58:22 +0000
+Subject: [PATCH] Bug 707510 - don't use strlen on passwords
+
+Item #1 of the report. This looks like an oversight when first coding
+the routine. We should use the PostScript string length, because
+PostScript strings may not be NULL terminated (and as here may contain
+internal NULL characters).
+
+Fix the R6 handler which has the same problem too.
+---
+ pdf/pdf_sec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c
+index e968b89c5..e02e040f9 100644
+--- a/pdf/pdf_sec.c
++++ b/pdf/pdf_sec.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2020-2023 Artifex Software, Inc.
++/* Copyright (C) 2020-2024 Artifex Software, Inc.
+    All Rights Reserved.
+ 
+    This software is provided AS-IS with no warranty, either express or
+@@ -1283,7 +1283,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen,
+         /* If the supplied Password fails as the user *and* owner password, maybe its in
+          * the locale, not UTF-8, try converting to UTF-8
+          */
+-        code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
++        code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
+         if (code < 0)
+             return code;
+         memcpy(P->data, Password, PasswordLen);
+@@ -1330,7 +1330,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen,
+         /* If the supplied Password fails as the user *and* owner password, maybe its in
+          * the locale, not UTF-8, try converting to UTF-8
+          */
+-        code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
++        code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
+         if (code < 0)
+             return code;
+         memcpy(P->data, Password, PasswordLen);
+-- 
+2.45.2
+

ghostscript.spec

@@ -117,6 +117,8 @@ Patch: 0001-X-device-fix-compiler-warning.patch
 Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch
 # RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
 Patch: 0001-Bug-707686.patch
+# RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
+Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -433,6 +435,9 @@ done
 # =============================================================================
 
 %changelog
+* Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
+- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
+
 * Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
 - RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths