rpms/ghostscript
6
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL-88964 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow

Browse Source 
Resolves: RHEL-88964
This commit is contained in:
Zdenek Dohnal 2025-05-07 12:56:45 +02:00
parent 41770e5cc8
commit 53a3083fb6
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch Normal file
View File

@ -0,0 +1,41 @@
From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Wed, 20 Nov 2024 11:42:31 +0000
Subject: [PATCH] Bug 708133: Avoid integer overflow leading to buffer overflow
The calculation of the buffer size was being done with int values, and
overflowing that data type. By leaving the total size calculation to the
memory manager, the calculation ends up being done in size_t values, and
avoiding the overflow in this case, but also meaning the memory manager
overflow protection will be effective.
CVE-2025-27832
---
contrib/japanese/gdevnpdl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
index 60065bacf..4967282bd 100644
--- a/contrib/japanese/gdevnpdl.c
+++ b/contrib/japanese/gdevnpdl.c
@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
int code;
int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
+ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
return_error(gs_error_VMerror);
/* Initialize printer */
@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
/* Form Feed */
gp_fputs("\014", prn_stream);
- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
+ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
return 0;
}
--
2.49.0

8
ghostscript.spec
View File

@ -45,7 +45,7 @@
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 10.02.1
Release: 15%{?dist}
Release: 16%{?dist}
License: AGPL-3.0-or-later
@ -144,6 +144,9 @@ Patch: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch
# RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3
Patch: 0001-PostScript-interpreter-fix-buffer-length-check.patch
# RHEL-88964 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow
# https://github.com/ArtifexSoftware/ghostpdl/commit/57291c846334f1585552010faa42d7cb2cbd5c41
Patch: 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch
# Downstream patches -- these should be always included when doing rebase:
@ -461,6 +464,9 @@ done
# =============================================================================
%changelog
* Wed May 07 2025 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-16
- RHEL-88964 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow
* Tue Apr 15 2025 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-15
- RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
- RHEL-67050 CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling