From 46c9fdd4545a3d577b373c632a9245a636b934d7 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 20 Jun 2024 09:35:04 +0200
Subject: [PATCH] RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary
 code execution via custom Driver library

Resolves: RHEL-38835
---
 ...ent-unsafe-parameter-change-with-SAF.patch | 26 +++++++++++++++++++
 ghostscript.spec                              |  7 ++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch

diff --git a/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch b/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch
new file mode 100644
index 0000000..9c736b7
--- /dev/null
+++ b/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch
@@ -0,0 +1,26 @@
+diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
+index 74200cf..dc45b22 100644
+--- a/contrib/opvp/gdevopvp.c
++++ b/contrib/opvp/gdevopvp.c
+@@ -3296,7 +3296,7 @@ _get_params(gx_device* dev, gs_param_list *plist)
+     /* vector driver name */
+     pname = "Driver";
+     vdps.data = (byte *)opdev->globals.vectorDriver;
+-    vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) + 1 : 0);
++    vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) : 0);
+     vdps.persistent = false;
+     code = param_write_string(plist, pname, &vdps);
+     if (code) ecode = code;
+@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
+     code = param_read_string(plist, pname, &vdps);
+     switch (code) {
+     case 0:
++        if (gs_is_path_control_active(dev->memory)
++            && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
++                || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
++            param_signal_error(plist, pname, gs_error_invalidaccess);
++            return_error(gs_error_invalidaccess);
++        }
+         buff = realloc(buff, vdps.size + 1);
+         memcpy(buff, vdps.data, vdps.size);
+         buff[vdps.size] = 0;
diff --git a/ghostscript.spec b/ghostscript.spec
index 23098c3..f2b3e7f 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -45,7 +45,7 @@
 Name:             ghostscript
 Summary:          Interpreter for PostScript language & PDF
 Version:          10.02.1
-Release:          8%{?dist}
+Release:          9%{?dist}
 
 License:          AGPL-3.0-or-later
 
@@ -113,6 +113,8 @@ Patch: ghostscript-10.02.1-PostScript-Fix-selectdevice.patch
 Patch: 0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch
 # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8f5c77af6c0b
 Patch: 0001-X-device-fix-compiler-warning.patch
+# RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
+Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -429,6 +431,9 @@ done
 # =============================================================================
 
 %changelog
+* Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-9
+- RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
+
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 10.02.1-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild