RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter

Resolves: RHEL-46149
This commit is contained in:
Zdenek Dohnal 2024-07-16 17:28:17 +02:00
parent a6cfa19a60
commit 10f971e9bb
2 changed files with 51 additions and 0 deletions

View File

@ -0,0 +1,46 @@
From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 25 Jan 2024 11:58:22 +0000
Subject: [PATCH] Bug 707510 - don't use strlen on passwords
Item #1 of the report. This looks like an oversight when first coding
the routine. We should use the PostScript string length, because
PostScript strings may not be NULL terminated (and as here may contain
internal NULL characters).
Fix the R6 handler which has the same problem too.
---
pdf/pdf_sec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c
index e968b89c5..e02e040f9 100644
--- a/pdf/pdf_sec.c
+++ b/pdf/pdf_sec.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020-2023 Artifex Software, Inc.
+/* Copyright (C) 2020-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1283,7 +1283,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen,
/* If the supplied Password fails as the user *and* owner password, maybe its in
* the locale, not UTF-8, try converting to UTF-8
*/
- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
+ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
if (code < 0)
return code;
memcpy(P->data, Password, PasswordLen);
@@ -1330,7 +1330,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen,
/* If the supplied Password fails as the user *and* owner password, maybe its in
* the locale, not UTF-8, try converting to UTF-8
*/
- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P);
+ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P);
if (code < 0)
return code;
memcpy(P->data, Password, PasswordLen);
--
2.45.2

View File

@ -117,6 +117,8 @@ Patch: 0001-X-device-fix-compiler-warning.patch
Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch
# RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths # RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
Patch: 0001-Bug-707686.patch Patch: 0001-Bug-707686.patch
# RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -433,6 +435,9 @@ done
# ============================================================================= # =============================================================================
%changelog %changelog
* Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12 * Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths - RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths