RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)

Resolves: RHEL-44727
This commit is contained in:
Zdenek Dohnal 2024-07-16 19:04:20 +02:00
parent 2960ec7887
commit 3e51fab06c
2 changed files with 82 additions and 0 deletions

View File

@ -0,0 +1,79 @@
From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 21 Mar 2024 09:01:15 +0000
Subject: [PATCH] Uniprint device - prevent string configuration changes when
SAFER
Bug #707662
We cannot sanitise the string arguments used by the Uniprint device
because they can potentially include anything.
This commit ensures that these strings are locked and cannot be
changed by PostScript once SAFER is activated. Full configuration from
the command line is still possible (see the *.upp files in lib).
This addresses CVE-2024-29510
---
devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index c9389e7bc..016a9260a 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1891,6 +1891,16 @@ out on this copies.
if(!upd_strings[i]) continue;
UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (strings[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRINGS;
UPD_MM_DEL_PARAM(udev->memory, strings[i]);
if(!value.size) {
@@ -1908,6 +1918,26 @@ out on this copies.
if(!upd_string_a[i]) continue;
UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (string_a[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ int loop;
+ for (loop = 0;loop < string_a[i].size;loop++) {
+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+ if (tmp1->size != tmp2->size)
+ error = gs_error_invalidaccess;
+ else {
+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ }
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRING_A;
UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
if(!value.size) {
@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may
if(0 > code) error = code;
}
+exit:
if(0 < error) { /* Actually something loaded without error */
if(!(upd = udev->upd)) {
--
2.45.2

View File

@ -125,6 +125,8 @@ Patch: 0001-Bug-707510-review-printing-of-pointers.patch
Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
# RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() # RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
# RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -446,6 +448,7 @@ done
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc() - RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()
- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters - RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters
- RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() - RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter()
- RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12 * Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths - RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths