From 41770e5cc869e5e8bfd434e536ad05ced4e0ff1e Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 16 Apr 2025 12:50:34 +0200 Subject: [PATCH] RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution Resolves: RHEL-67050 --- ...-interpreter-fix-buffer-length-check.patch | 36 +++++++++++++++++++ ghostscript.spec | 4 +++ 2 files changed, 40 insertions(+) create mode 100644 0001-PostScript-interpreter-fix-buffer-length-check.patch diff --git a/0001-PostScript-interpreter-fix-buffer-length-check.patch b/0001-PostScript-interpreter-fix-buffer-length-check.patch new file mode 100644 index 0000000..ca02452 --- /dev/null +++ b/0001-PostScript-interpreter-fix-buffer-length-check.patch @@ -0,0 +1,36 @@ +From f4151f12db32cd3ed26c24327de714bf2c3ed6ca Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Tue, 23 Jul 2024 11:48:39 +0100 +Subject: [PATCH] PostScript interpreter - fix buffer length check + +Bug 707895 + +See bug report for details. + +CVE-2024-46956 +--- + psi/zfile.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/psi/zfile.c b/psi/zfile.c +index a4f5439cd..cb056494b 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -443,7 +443,7 @@ file_continue(i_ctx_t *i_ctx_p) + if (code == ~(uint) 0) { /* all done */ + esp -= 6; /* pop proc, pfen, scratch, devlen, iodev , mark */ + return o_pop_estack; +- } else if (code > len) { /* overran string */ ++ } else if (code > len - devlen) { /* overran string */ + return_error(gs_error_rangecheck); + } + else if (iodev != iodev_default(imemory) +-- +2.49.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 42de6da..79fff4b 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -141,6 +141,9 @@ Patch: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch # RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec Patch: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch +# RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution +# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3 +Patch: 0001-PostScript-interpreter-fix-buffer-length-check.patch # Downstream patches -- these should be always included when doing rebase: @@ -463,6 +466,7 @@ done - RHEL-67050 CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling - RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding - RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript +- RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution * Tue Oct 29 2024 Troy Dawson - 10.02.1-14 - Bump release for October 2024 mass rebuild: