rpms/ghostscript
5
0
Fork 0
Code Issues Pull Requests Releases Activity

fix for CVE-2023-28879

Browse Source 
Resolves: rhbz#2188300
This commit is contained in:
Richard Lescak 2023-05-11 11:19:23 +02:00
parent b37edd2dfe
commit 261ad2cc5f
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
ghostscript-9.54.0-CVE-2023-28879.patch Normal file
View File

@ -0,0 +1,44 @@
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Mar 2023 13:19:57 +0000
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
Bug #706494 "Buffer Overflow in s_xBCPE_process"
As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.
This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).
Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
base/sbcp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/base/sbcp.c b/base/sbcp.c
index 979ae0992..47fc233ec 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;
--
2.39.2

7
ghostscript.spec
View File

@ -42,7 +42,7 @@
Name: ghostscript Name: ghostscript
Summary: Interpreter for PostScript language & PDF Summary: Interpreter for PostScript language & PDF
Version: 9.54.0 Version: 9.54.0
Release: 10%{?dist} Release: 11%{?dist}
License: AGPLv3+ License: AGPLv3+
@ -109,6 +109,7 @@ Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch008: ghostscript-9.54.0-CVE-2023-28879.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -442,6 +443,10 @@ done
# ============================================================================= # =============================================================================
%changelog %changelog
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
- fix for CVE-2023-28879
- Resolves: rhbz#2188300
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10 * Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
- fix embedding of CIDFonts - fix embedding of CIDFonts
- Resolves: rhbz#2179023 - Resolves: rhbz#2179023