From 46c9fdd4545a3d577b373c632a9245a636b934d7 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Thu, 20 Jun 2024 09:35:04 +0200 Subject: [PATCH] RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library Resolves: RHEL-38835 --- ...ent-unsafe-parameter-change-with-SAF.patch | 26 +++++++++++++++++++ ghostscript.spec | 7 ++++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch diff --git a/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch b/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch new file mode 100644 index 0000000..9c736b7 --- /dev/null +++ b/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch @@ -0,0 +1,26 @@ +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index 74200cf..dc45b22 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -3296,7 +3296,7 @@ _get_params(gx_device* dev, gs_param_list *plist) + /* vector driver name */ + pname = "Driver"; + vdps.data = (byte *)opdev->globals.vectorDriver; +- vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) + 1 : 0); ++ vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) : 0); + vdps.persistent = false; + code = param_write_string(plist, pname, &vdps); + if (code) ecode = code; +@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size ++ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buff[vdps.size] = 0; diff --git a/ghostscript.spec b/ghostscript.spec index 23098c3..f2b3e7f 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -45,7 +45,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 10.02.1 -Release: 8%{?dist} +Release: 9%{?dist} License: AGPL-3.0-or-later @@ -113,6 +113,8 @@ Patch: ghostscript-10.02.1-PostScript-Fix-selectdevice.patch Patch: 0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch # https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8f5c77af6c0b Patch: 0001-X-device-fix-compiler-warning.patch +# RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library +Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -429,6 +431,9 @@ done # ============================================================================= %changelog +* Thu Jun 20 2024 Zdenek Dohnal - 10.02.1-9 +- RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library + * Wed Jan 24 2024 Fedora Release Engineering - 10.02.1-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild