RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space

Resolves: RHEL-67048
2025-04-16 12:33:37 +02:00 · 2025-04-16 12:33:37 +02:00 · 7e87eee02e
commit 7e87eee02e
parent 31a521d126
2 changed files with 34 additions and 0 deletions
--- a/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
+++ b/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
@ -0,0 +1,31 @@
+From f49812186baa7d1362880673408a6fbe8719b4f8 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:16:39 +0100
+Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
+
+Bug #707991
+
+See bug report for details.
+
+CVE-2024-46951
+---
+ psi/zcolor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index d4e7a4438..d3384d75d 100644
+--- a/psi/zcolor.c
+++ b/psi/zcolor.c
+@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
+             code = array_get(imemory, pImpl, 0, &pPatInst);
+             if (code < 0)
+                 return code;
+
+            if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+                return_error(gs_error_typecheck);
+             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
+             if (pattern_instance_uses_base_space(cc.pattern))
+                 *n = n_comps;
+-- 
+2.49.0
+
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -123,6 +123,8 @@ Patch014: gs-CVE-2024-33869.patch
 Patch015: 0001-Uniprint-device-prevent-string-configuration-changes.patch
 # RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable()
 Patch016: gs-cve-2023-46751.patch
+# RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
+Patch017: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch

 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@ -458,6 +460,7 @@ done
 %changelog
 * Tue Apr 15 2025 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-18
 - RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable()
+- RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space

 * Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
 - RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths