RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)

Resolves: RHEL-44727
2024-07-16 19:04:20 +02:00 · 2024-07-16 19:04:20 +02:00 · 3e51fab06c
commit 3e51fab06c
parent 2960ec7887
2 changed files with 82 additions and 0 deletions
--- a/0001-Uniprint-device-prevent-string-configuration-changes.patch
+++ b/0001-Uniprint-device-prevent-string-configuration-changes.patch
@ -0,0 +1,79 @@
+From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 21 Mar 2024 09:01:15 +0000
+Subject: [PATCH] Uniprint device - prevent string configuration changes when
+ SAFER
+
+Bug #707662
+
+We cannot sanitise the string arguments used by the Uniprint device
+because they can potentially include anything.
+
+This commit ensures that these strings are locked and cannot be
+changed by PostScript once SAFER is activated. Full configuration from
+the command line is still possible (see the *.upp files in lib).
+
+This addresses CVE-2024-29510
+---
+ devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/devices/gdevupd.c b/devices/gdevupd.c
+index c9389e7bc..016a9260a 100644
+--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
+@@ -1891,6 +1891,16 @@ out on this copies.
+       if(!upd_strings[i]) continue;
+       UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
+       if(0 == code) {
+        if (gs_is_path_control_active(udev->memory)) {
+            if (strings[i].size != value.size)
+              error = gs_error_invalidaccess;
+            else {
+                if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+                    error = gs_error_invalidaccess;
+            }
+            if (error < 0)
+                goto exit;
+        }
+          if(0 <= error) error |= UPD_PUT_STRINGS;
+          UPD_MM_DEL_PARAM(udev->memory, strings[i]);
+          if(!value.size) {
+@@ -1908,6 +1918,26 @@ out on this copies.
+       if(!upd_string_a[i]) continue;
+       UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
+       if(0 == code) {
+          if (gs_is_path_control_active(udev->memory)) {
+              if (string_a[i].size != value.size)
+                  error = gs_error_invalidaccess;
+              else {
+                  int loop;
+                  for (loop = 0;loop < string_a[i].size;loop++) {
+                      gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+                      gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+                      if (tmp1->size != tmp2->size)
+                          error = gs_error_invalidaccess;
+                      else {
+                          if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+                              error = gs_error_invalidaccess;
+                      }
+                  }
+              }
+            if (error < 0)
+                goto exit;
+          }
+          if(0 <= error) error |= UPD_PUT_STRING_A;
+          UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
+          if(!value.size) {
+@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may
+       if(0 > code) error = code;
+    }
+ 
+exit:
+    if(0 < error) { /* Actually something loaded without error */
+ 
+       if(!(upd = udev->upd)) {
+-- 
+2.45.2
+
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -125,6 +125,8 @@ Patch: 0001-Bug-707510-review-printing-of-pointers.patch
 Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
 # RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
 Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
+# RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
+Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch

 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@ -446,6 +448,7 @@ done
 - RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
 - RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
 - RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
+- RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)

 * Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
 - RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths