RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution

Resolves: RHEL-67050
2025-04-16 12:50:34 +02:00 · 2025-04-16 12:50:34 +02:00 · 41770e5cc8
commit 41770e5cc8
parent 6b149e4539
2 changed files with 40 additions and 0 deletions
--- a/0001-PostScript-interpreter-fix-buffer-length-check.patch
+++ b/0001-PostScript-interpreter-fix-buffer-length-check.patch
@ -0,0 +1,36 @@
+From f4151f12db32cd3ed26c24327de714bf2c3ed6ca Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Tue, 23 Jul 2024 11:48:39 +0100
+Subject: [PATCH] PostScript interpreter - fix buffer length check
+
+Bug 707895
+
+See bug report for details.
+
+CVE-2024-46956
+---
+ psi/zfile.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/psi/zfile.c b/psi/zfile.c
+index a4f5439cd..cb056494b 100644
+--- a/psi/zfile.c
+++ b/psi/zfile.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
+    All Rights Reserved.
+ 
+    This software is provided AS-IS with no warranty, either express or
+@@ -443,7 +443,7 @@ file_continue(i_ctx_t *i_ctx_p)
+         if (code == ~(uint) 0) {    /* all done */
+             esp -= 6;               /* pop proc, pfen, scratch, devlen, iodev , mark */
+             return o_pop_estack;
+-        } else if (code > len) {      /* overran string */
+        } else if (code > len - devlen) {      /* overran string */
+             return_error(gs_error_rangecheck);
+         }
+         else if (iodev != iodev_default(imemory)
+-- 
+2.49.0
+
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -141,6 +141,9 @@ Patch: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch
 # RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
 # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec
 Patch: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch
+# RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3
+Patch: 0001-PostScript-interpreter-fix-buffer-length-check.patch


 # Downstream patches -- these should be always included when doing rebase:
@ -463,6 +466,7 @@ done
 - RHEL-67050 CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling
 - RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
 - RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
+- RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution

 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 10.02.1-14
 - Bump release for October 2024 mass rebuild: