From 53a3083fb623a9ba3bdbf781ad6a0d8942bb97c7 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 7 May 2025 12:56:45 +0200 Subject: [PATCH] RHEL-88964 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow Resolves: RHEL-88964 --- ...-integer-overflow-leading-to-buffer-.patch | 41 +++++++++++++++++++ ghostscript.spec | 8 +++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch diff --git a/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch b/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch new file mode 100644 index 0000000..09f9b86 --- /dev/null +++ b/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch @@ -0,0 +1,41 @@ +From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: [PATCH] Bug 708133: Avoid integer overflow leading to buffer overflow + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf..4967282bd 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +2.49.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 79fff4b..0f6b69e 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -45,7 +45,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 10.02.1 -Release: 15%{?dist} +Release: 16%{?dist} License: AGPL-3.0-or-later @@ -144,6 +144,9 @@ Patch: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch # RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3 Patch: 0001-PostScript-interpreter-fix-buffer-length-check.patch +# RHEL-88964 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow +# https://github.com/ArtifexSoftware/ghostpdl/commit/57291c846334f1585552010faa42d7cb2cbd5c41 +Patch: 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch # Downstream patches -- these should be always included when doing rebase: @@ -461,6 +464,9 @@ done # ============================================================================= %changelog +* Wed May 07 2025 Zdenek Dohnal - 10.02.1-16 +- RHEL-88964 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow + * Tue Apr 15 2025 Zdenek Dohnal - 10.02.1-15 - RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space - RHEL-67050 CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling