From 902d50fe757692db015431011a1d655d3e7e06ea Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Sep 2023 12:59:44 +0000 Subject: [PATCH] import CS ghostscript-9.27-11.el8 --- SOURCES/ghostscript-9.27-CVE-2023-28879.patch | 44 ++++++++ SOURCES/ghostscript-9.27-CVE-2023-38559.patch | 27 +++++ SOURCES/ghostscript-9.27-CVE-2023-4042.patch | 28 +++++ SOURCES/ghostscript-9.27-fix-bbox.patch | 63 +++++++++++ ...ite-Substituted-TTF-CIDFont-CID-hand.patch | 106 ++++++++++++++++++ SPECS/ghostscript.spec | 27 ++++- 6 files changed, 294 insertions(+), 1 deletion(-) create mode 100644 SOURCES/ghostscript-9.27-CVE-2023-28879.patch create mode 100644 SOURCES/ghostscript-9.27-CVE-2023-38559.patch create mode 100644 SOURCES/ghostscript-9.27-CVE-2023-4042.patch create mode 100644 SOURCES/ghostscript-9.27-fix-bbox.patch create mode 100644 SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch diff --git a/SOURCES/ghostscript-9.27-CVE-2023-28879.patch b/SOURCES/ghostscript-9.27-CVE-2023-28879.patch new file mode 100644 index 0000000..0629e99 --- /dev/null +++ b/SOURCES/ghostscript-9.27-CVE-2023-28879.patch @@ -0,0 +1,44 @@ +From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Fri, 24 Mar 2023 13:19:57 +0000 +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- + base/sbcp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/base/sbcp.c b/base/sbcp.c +index 979ae0992..47fc233ec 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; +-- +2.39.2 + diff --git a/SOURCES/ghostscript-9.27-CVE-2023-38559.patch b/SOURCES/ghostscript-9.27-CVE-2023-38559.patch new file mode 100644 index 0000000..74e6fb8 --- /dev/null +++ b/SOURCES/ghostscript-9.27-CVE-2023-38559.patch @@ -0,0 +1,27 @@ +From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 17 Jul 2023 14:06:37 +0100 +Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from + devices/gdevpcx.c + +Bounds check the buffer, before dereferencing the pointer. +--- + base/gdevdevn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gdevdevn.c b/base/gdevdevn.c +index 7b14d9c71..6351fb77a 100644 +--- a/base/gdevdevn.c ++++ b/base/gdevdevn.c +@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file + byte data = *from; + + from += step; +- if (data != *from || from == end) { ++ if (from >= end || data != *from) { + if (data >= 0xc0) + putc(0xc1, file); + } else { +-- +2.41.0 + diff --git a/SOURCES/ghostscript-9.27-CVE-2023-4042.patch b/SOURCES/ghostscript-9.27-CVE-2023-4042.patch new file mode 100644 index 0000000..d2b9af7 --- /dev/null +++ b/SOURCES/ghostscript-9.27-CVE-2023-4042.patch @@ -0,0 +1,28 @@ +From 2793769ff107d8d22dadd30c6e68cd781b569550 Mon Sep 17 00:00:00 2001 +From: Julian Smith +Date: Mon, 4 Nov 2019 12:30:33 +0000 +Subject: [PATCH] Bug 701819: fixed ordering in if expression to avoid + out-of-bounds access. + +Fixes: + ./sanbin/gs -dBATCH -dNOPAUSE -r965 -sOutputFile=tmp -sDEVICE=pcx16 ../bug-701819.pdf +--- + devices/gdevpcx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/devices/gdevpcx.c b/devices/gdevpcx.c +index 1735851d2..91de4abb6 100644 +--- a/devices/gdevpcx.c ++++ b/devices/gdevpcx.c +@@ -442,7 +442,7 @@ pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file) + byte data = *from; + + from += step; +- if (data != *from || from == end) { ++ if (from >= end || data != *from) { + if (data >= 0xc0) + putc(0xc1, file); + } else { +-- +2.41.0 + diff --git a/SOURCES/ghostscript-9.27-fix-bbox.patch b/SOURCES/ghostscript-9.27-fix-bbox.patch new file mode 100644 index 0000000..fdb7f3a --- /dev/null +++ b/SOURCES/ghostscript-9.27-fix-bbox.patch @@ -0,0 +1,63 @@ +diff -Napur ghostscript-9.27.old/base/fapi_ft.c ghostscript-9.27.new/base/fapi_ft.c +--- ghostscript-9.27.old/base/fapi_ft.c 2019-04-04 00:43:14.000000000 -0700 ++++ ghostscript-9.27.new/base/fapi_ft.c 2023-03-07 16:41:56.217995052 -0800 +@@ -974,13 +974,19 @@ make_rotation(FT_Matrix * a_transform, c + */ + static void + transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp, +- FT_Fixed * a_x_scale, FT_Fixed * a_y_scale) ++ FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM) + { + double scalex, scaley, fact = 1.0; + double factx = 1.0, facty = 1.0; + FT_Matrix ftscale_mat; + FT_UInt xres; + FT_UInt yres; ++ /* We have to account for units_per_EM as we fiddle with the scaling ++ * in order to avoid underflow (mostly in the TTF hinting code), but ++ * we also want to clamp to a lower value (512, admittedly arrived at ++ * via experimentation) in order to preserve the fidelity of the outlines. ++ */ ++ double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0; + + scalex = hypot((double)a_transform->xx, (double)a_transform->xy); + scaley = hypot((double)a_transform->yx, (double)a_transform->yy); +@@ -1067,10 +1073,25 @@ transform_decompose(FT_Matrix * a_transf + scalex *= fact; + } + +- ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex); +- ftscale_mat.xy = (FT_Fixed) 0; +- ftscale_mat.yx = (FT_Fixed) 0; +- ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley); ++ /* see above */ ++ fact = 1.0; ++ while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0) ++ && (scalex > 0.0 && scaley > 0.0)) { ++ if (scaley < yres) { ++ xres >>= 1; ++ yres >>= 1; ++ fact *= 2.0; ++ } ++ else { ++ scalex /= 1.25; ++ scaley /= 1.25; ++ } ++ } ++ ++ ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact); ++ ftscale_mat.xy = 0; ++ ftscale_mat.yx = 0; ++ ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact); + + FT_Matrix_Multiply(a_transform, &ftscale_mat); + memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix)); +@@ -1315,7 +1336,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_serve + * transform. + */ + transform_decompose(&face->ft_transform, &face->horz_res, +- &face->vert_res, &face->width, &face->height); ++ &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM); + + ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height, + face->horz_res, face->vert_res); diff --git a/SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch b/SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch new file mode 100644 index 0000000..29dbebb --- /dev/null +++ b/SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch @@ -0,0 +1,106 @@ +From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 15 Mar 2023 15:38:29 +0000 +Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling + +The PS interpreter callback that handles converting a CID to a TTF GID did +not handle the case of substituted CIDFonts. + +It requires looking up the CID on the Decoding (to get a Unicode code point), +and then looking up the code point in the TTF cmap table to get the GID. + +The rendering code already handled it. +--- + psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++------------------- + 1 file changed, 46 insertions(+), 27 deletions(-) + +diff --git a/psi/zfcid1.c b/psi/zfcid1.c +index fd502ff12..55de85d45 100644 +--- a/psi/zfcid1.c ++++ b/psi/zfcid1.c +@@ -77,37 +77,56 @@ + int gdbytes = pfont->cidata.common.GDBytes; + int gnum = 0; + const byte *data; +- int i, code; ++ int i, code = -1; + ref rcid; + ref *prgnum; ++ ref *p, *fdict = pfont_dict(pfont); ++ ++ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) { ++ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type; ++ uint c; ++ ++ code = dict_find_string(fdict, "Decoding", &Decoding); ++ if (code > 0) ++ code = dict_find_string(fdict, "TT_cmap", &TT_cmap); ++ if (code > 0) ++ code = dict_find_string(fdict, "SubstNWP", &SubstNWP); ++ if (code > 0) { ++ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type); ++ if (code >= 0) ++ gnum = c; ++ } ++ } + +- switch (r_type(pcidmap)) { +- case t_string: +- if (cid >= r_size(pcidmap) / gdbytes) +- return_error(gs_error_rangecheck); +- data = pcidmap->value.const_bytes + cid * gdbytes; +- break; +- case t_integer: +- return cid + pcidmap->value.intval; +- case t_dictionary: +- make_int(&rcid, cid); +- code = dict_find(pcidmap, &rcid, &prgnum); +- if (code <= 0) +- return (code < 0 ? code : gs_note_error(gs_error_undefined)); +- if (!r_has_type(prgnum, t_integer)) +- return_error(gs_error_typecheck); +- return prgnum->value.intval; +- default: /* array type */ +- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes, +- gdbytes, NULL, NULL, &data); ++ if (code < 0) { ++ switch (r_type(pcidmap)) { ++ case t_string: ++ if (cid >= r_size(pcidmap) / gdbytes) ++ return_error(gs_error_rangecheck); ++ data = pcidmap->value.const_bytes + cid * gdbytes; ++ break; ++ case t_integer: ++ return cid + pcidmap->value.intval; ++ case t_dictionary: ++ make_int(&rcid, cid); ++ code = dict_find(pcidmap, &rcid, &prgnum); ++ if (code <= 0) ++ return (code < 0 ? code : gs_note_error(gs_error_undefined)); ++ if (!r_has_type(prgnum, t_integer)) ++ return_error(gs_error_typecheck); ++ return prgnum->value.intval; ++ default: /* array type */ ++ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes, ++ gdbytes, NULL, NULL, &data); + +- if (code < 0) +- return code; +- if ( code > 0 ) +- return_error(gs_error_invalidfont); ++ if (code < 0) ++ return code; ++ if ( code > 0 ) ++ return_error(gs_error_invalidfont); ++ } ++ for (i = 0; i < gdbytes; ++i) ++ gnum = (gnum << 8) + data[i]; + } +- for (i = 0; i < gdbytes; ++i) +- gnum = (gnum << 8) + data[i]; + if (gnum >= pfont->data.trueNumGlyphs) + return_error(gs_error_invalidfont); + return gnum; +-- +2.39.2 + diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index d670979..6a4b9b5 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -37,7 +37,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.27 -Release: 6%{?dist} +Release: 11%{?dist} License: AGPLv3+ @@ -107,6 +107,11 @@ Patch014: ghostscript-cve-2020-16301.patch Patch015: ghostscript-9.27-fix-use-of-HWMargins.patch Patch016: ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch Patch017: ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch +Patch018: ghostscript-9.27-fix-bbox.patch +Patch019: ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch +Patch020: ghostscript-9.27-CVE-2023-28879.patch +Patch021: ghostscript-9.27-CVE-2023-38559.patch +Patch022: ghostscript-9.27-CVE-2023-4042.patch # Downstream patches -- these should be always included when doing rebase: @@ -447,6 +452,26 @@ done # ============================================================================= %changelog +* Fri Aug 04 2023 Richard Lescak - 9.27-11 +- fix for CVE-2023-4042 +- Resolves: rhbz#2228153 + +* Fri Aug 04 2023 Richard Lescak - 9.27-10 +- fix for CVE-2023-38559 +- Resolves: rhbz#2224371 + +* Fri May 05 2023 Richard Lescak - 9.27-9 +- fix for CVE-2023-28879 +- Resolves: rhbz#2188297 + +* Fri Mar 17 2023 Richard Lescak - 9.27-8 +- fix embedding of CIDFonts +- Resolves: rhbz#2169890 + +* Wed Mar 15 2023 Richard Lescak - 9.27-7 +- fix bbox device calculating bounding box incorrectly +- Resolves: rhbz#2176327 + * Thu Feb 02 2023 Richard Lescak - 9.27-6 - set the page size for A4 correctly in ESC/Page driver - Resolves: rhbz#2164603