diff --git a/0001-Uniprint-device-prevent-string-configuration-changes.patch b/0001-Uniprint-device-prevent-string-configuration-changes.patch new file mode 100644 index 0000000..0adbfa6 --- /dev/null +++ b/0001-Uniprint-device-prevent-string-configuration-changes.patch @@ -0,0 +1,79 @@ +From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 21 Mar 2024 09:01:15 +0000 +Subject: [PATCH] Uniprint device - prevent string configuration changes when + SAFER + +Bug #707662 + +We cannot sanitise the string arguments used by the Uniprint device +because they can potentially include anything. + +This commit ensures that these strings are locked and cannot be +changed by PostScript once SAFER is activated. Full configuration from +the command line is still possible (see the *.upp files in lib). + +This addresses CVE-2024-29510 +--- + devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index c9389e7bc..016a9260a 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1891,6 +1891,16 @@ out on this copies. + if(!upd_strings[i]) continue; + UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (strings[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRINGS; + UPD_MM_DEL_PARAM(udev->memory, strings[i]); + if(!value.size) { +@@ -1908,6 +1918,26 @@ out on this copies. + if(!upd_string_a[i]) continue; + UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (string_a[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ int loop; ++ for (loop = 0;loop < string_a[i].size;loop++) { ++ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]); ++ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop]; ++ ++ if (tmp1->size != tmp2->size) ++ error = gs_error_invalidaccess; ++ else { ++ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ } ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRING_A; + UPD_MM_DEL_APARAM(udev->memory, string_a[i]); + if(!value.size) { +@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may + if(0 > code) error = code; + } + ++exit: + if(0 < error) { /* Actually something loaded without error */ + + if(!(upd = udev->upd)) { +-- +2.45.2 + diff --git a/ghostscript.spec b/ghostscript.spec index 000464c..08a694f 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -125,6 +125,8 @@ Patch: 0001-Bug-707510-review-printing-of-pointers.patch Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch # RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch +# RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass) +Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -446,6 +448,7 @@ done - RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc() - RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters - RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() +- RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass) * Thu Jul 11 2024 Zdenek Dohnal - 10.02.1-12 - RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths