From 2960ec78875aa8bd7cfaf2f8c925f081458f091b Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Tue, 16 Jul 2024 18:39:16 +0200 Subject: [PATCH] RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() Resolves: RHEL-46076 --- ...-allow-PDF-files-with-bad-Filters-to.patch | 46 +++++++++++++++++++ ghostscript.spec | 3 ++ 2 files changed, 49 insertions(+) create mode 100644 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch diff --git a/0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch b/0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch new file mode 100644 index 0000000..26f1057 --- /dev/null +++ b/0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch @@ -0,0 +1,46 @@ +From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:55:49 +0000 +Subject: [PATCH] Bug 707510 - don't allow PDF files with bad Filters to + overflow the debug buffer + +Item #2 of the report. + +Allocate a buffer to hold the filter name, instead of assuming it will +fit in a fixed buffer. + +Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like +this. +--- + pdf/pdf_file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c +index 6680ae2db..4b04e3582 100644 +--- a/pdf/pdf_file.c ++++ b/pdf/pdf_file.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2018-2023 Artifex Software, Inc. ++/* Copyright (C) 2018-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -777,10 +777,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_ + + if (ctx->args.pdfdebug) + { +- char str[100]; ++ char *str; ++ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug"); ++ if (str == NULL) ++ return_error(gs_error_VMerror); + memcpy(str, (const char *)n->data, n->length); + str[n->length] = '\0'; + dmprintf1(ctx->memory, "FILTER NAME:%s\n", str); ++ gs_free_object(ctx->memory, str, "temp string for debug"); + } + + if (pdfi_name_is(n, "RunLengthDecode")) { +-- +2.45.2 + diff --git a/ghostscript.spec b/ghostscript.spec index e0f13b9..000464c 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -123,6 +123,8 @@ Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch Patch: 0001-Bug-707510-review-printing-of-pointers.patch # RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch +# RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() +Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -443,6 +445,7 @@ done - RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter - RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc() - RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters +- RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() * Thu Jul 11 2024 Zdenek Dohnal - 10.02.1-12 - RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths