rpms/ghostscript
5
0
Fork 0
Code Issues Pull Requests Releases Activity

fix for CVE-2023-28879 (#2184586)

Browse Source 
add patch for converting default page name to lowercase (#2183166)
This commit is contained in:
Richard Lescak 2023-04-06 14:25:43 +02:00
parent 6ae7fd4e7d
commit 2f987fc842
4 changed files with 114 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
ghostscript-10.01.0-CVE-2023-28879.patch Normal file
View File

@ -0,0 +1,44 @@
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Mar 2023 13:19:57 +0000
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
Bug #706494 "Buffer Overflow in s_xBCPE_process"
As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.
This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).
Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
base/sbcp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/base/sbcp.c b/base/sbcp.c
index 979ae0992..47fc233ec 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;
--
2.39.2

62
ghostscript-10.01.0-convert-defaultpage-to-lowercase.patch Normal file
View File

@ -0,0 +1,62 @@
diff --git a/Resource/Init/gs_statd.ps b/Resource/Init/gs_statd.ps
index 6751c032908337e400c67c02a80cbeae8a8b3122..83181257dea8b3438ccf8ce290422283414f8755 100644 (file)
--- a/Resource/Init/gs_statd.ps
+++ b/Resource/Init/gs_statd.ps
@@ -42,7 +42,7 @@ statusdict begin
% Keep the table of named paper sizes as procedures. Reuse them later
% as compatibility operators.
-/.pagetypeprocs 70 dict begin
+/.pagetypeprocs 81 dict begin
% Define various paper formats. The Adobe documentation defines only these:
% 11x17, a3, a4, a4small, b5, ledger, legal, letter, lettersmall, note.
@@ -116,6 +116,11 @@ statusdict begin
/archC {1296 1728 //.setpagesize stopped { pop pop /archC $error /errorname get signalerror } if } bind def
/archB {864 1296 //.setpagesize stopped { pop pop /archB $error /errorname get signalerror } if } bind def
/archA {648 864 //.setpagesize stopped { pop pop /archA $error /errorname get signalerror } if } bind def
+ /archa /archA load def
+ /archb /archB load def
+ /archc /archC load def
+ /archd /archD load def
+ /arche /archE load def
% Other paper sizes
/flsa {612 936 //.setpagesize stopped { pop pop /flsa $error /errorname get signalerror } if } bind def % U.S. foolscap
/flse {612 936 //.setpagesize stopped { pop pop /flse $error /errorname get signalerror } if } bind def % European foolscap
@@ -132,6 +137,12 @@ statusdict begin
/ANSI_D {1585 2448 //.setpagesize stopped { pop pop /ANSI_D $error /errorname get signalerror } if } bind def
/ANSI_E {2448 3168 //.setpagesize stopped { pop pop /ANSI_E $error /errorname get signalerror } if } bind def
/ANSI_F {2016 2880 //.setpagesize stopped { pop pop /ANSI_F $error /errorname get signalerror } if } bind def
+ /ansi_a /ANSI_A load def
+ /ansi_b /ANSI_B load def
+ /ansi_c /ANSI_C load def
+ /ansi_d /ANSI_D load def
+ /ansi_e /ANSI_E load def
+ /ansi_f /ANSI_F load def
%END SIZES
currentdict end
userdict begin dup { def } forall end % reuse!
diff --git a/psi/zmisc.c b/psi/zmisc.c
--- a/psi/zmisc.c
+++ b/psi/zmisc.c
@@ -255,7 +255,7 @@
{
os_ptr op = osp;
byte *value;
- int len = 0;
+ int len = 0, i;
if (gp_defaultpapersize((char *)0, &len) > 0) {
/* no default paper size */
@@ -269,6 +269,10 @@
return_error(gs_error_VMerror);
}
DISCARD(gp_defaultpapersize((char *)value, &len)); /* can't fail */
+ /* Note 'len' includes the NULL terminator, which we can ignore */
+ for (i = 0;i < (len - 1); i++)
+ value[i] = tolower(value[i]);
+
/* Delete the stupid C string terminator. */
value = iresize_string(value, len, len - 1,
"defaultpapersize value"); /* can't fail */

11
ghostscript-10.01.0-set-a4-as-default-pagesize.patch
View File

@ -1,11 +0,0 @@
--- a/Resource/Init/gs_init.ps 2022-09-21 10:39:46.000000000 +0200
+++ b/Resource/Init/gs_init.ps 2023-03-31 09:43:05.759701348 +0200
@@ -72,7 +72,7 @@
% standard page size A4 rather than US letter, the page size of
% devices that default to letter or A4 can be changed by setting
% DEFAULTPAPERSIZE.
-% /DEFAULTPAPERSIZE (a4) def
+/DEFAULTPAPERSIZE (a4) def
% Turn on array packing for the rest of initialization.
//true setpacking

10
ghostscript.spec
View File

@ -45,7 +45,7 @@
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 10.01.0
Release: 2%{?dist}
Release: 3%{?dist}
License: AGPL-3.0-or-later
@ -107,7 +107,9 @@ BuildRequires: make
#Patch000: example000.patch
Patch001: ghostscript-10.01.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch002: ghostscript-10.01.0-set-a4-as-default-pagesize.patch
Patch002: ghostscript-10.01.0-convert-defaultpage-to-lowercase.patch
Patch003: ghostscript-10.01.0-CVE-2023-28879.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
@ -421,6 +423,10 @@ done
# =============================================================================
%changelog
* Thu Apr 06 2023 Richard Lescak <rlescak@redhat.com> - 10.01.0-3
- fix for CVE-2023-28879 (#2184586)
- add patch for converting default page name to lowercase (#2183166)
* Mon Apr 03 2023 Richard Lescak <rlescak@redhat.com> - 10.01.0-2
- set 'a4' as a default in gs_init.ps to fix unrecognized 'Letter' page size (#2183166)