rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction

Browse Source 
Resolves: RHEL-46575
This commit is contained in:
Zdenek Dohnal 2024-07-17 08:44:35 +02:00
parent 3e51fab06c
commit 858683345a
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
0001-Bug-707691.patch Normal file
View File

@ -0,0 +1,43 @@
diff --git a/base/gpmisc.c b/base/gpmisc.c
index c4a69b0..b0d5c71 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem,
rlen = len;
}
else {
+ char *test = (char *)path, *test1;
+ uint tlen = len, slen;
+
+ /* Look for any pipe (%pipe% or '|' specifications between path separators
+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
+ */
+ while (tlen > 0) {
+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+ test1 = test;
+ slen = search_separator((const char **)&test, path + len, test1, 1);
+ if(slen == 0)
+ break;
+ test += slen;
+ tlen -= test - test1;
+ if (test >= path + len)
+ break;
+ }
+
rlen = len+1;
bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
if (bufferfull == NULL)
@@ -1164,8 +1185,8 @@ gp_validate_path_len(const gs_memory_t *mem,
continue;
}
- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
- buffer = bufferfull + cdirstrl + dirsepstrl;
+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
continue;
}
break;

7
ghostscript.spec
View File

@ -45,7 +45,7 @@
Name: ghostscript Name: ghostscript
Summary: Interpreter for PostScript language & PDF Summary: Interpreter for PostScript language & PDF
Version: 10.02.1 Version: 10.02.1
Release: 12%{?dist} Release: 13%{?dist}
License: AGPL-3.0-or-later License: AGPL-3.0-or-later
@ -127,6 +127,8 @@ Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
# RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass) # RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch
# RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
Patch: 0001-Bug-707691.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -443,6 +445,9 @@ done
# ============================================================================= # =============================================================================
%changelog %changelog
* Wed Jul 17 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-13
- RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
* Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12 * Tue Jul 16 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter - RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter
- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc() - RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()