diff --git a/ghostscript-9.54.0-CVE-2023-28879.patch b/ghostscript-9.54.0-CVE-2023-28879.patch new file mode 100644 index 0000000..0629e99 --- /dev/null +++ b/ghostscript-9.54.0-CVE-2023-28879.patch @@ -0,0 +1,44 @@ +From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Fri, 24 Mar 2023 13:19:57 +0000 +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- + base/sbcp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/base/sbcp.c b/base/sbcp.c +index 979ae0992..47fc233ec 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; +-- +2.39.2 + diff --git a/ghostscript.spec b/ghostscript.spec index 25921ad..8a1fe2d 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -42,7 +42,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.54.0 -Release: 10%{?dist} +Release: 11%{?dist} License: AGPLv3+ @@ -109,6 +109,7 @@ Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch +Patch008: ghostscript-9.54.0-CVE-2023-28879.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -442,6 +443,10 @@ done # ============================================================================= %changelog +* Fri May 05 2023 Richard Lescak - 9.54.0-11 +- fix for CVE-2023-28879 +- Resolves: rhbz#2188300 + * Fri Mar 17 2023 Richard Lescak - 9.54.0-10 - fix embedding of CIDFonts - Resolves: rhbz#2179023