import CS ghostscript-9.27-11.el8
This commit is contained in:
parent
112b94ac93
commit
902d50fe75
44
SOURCES/ghostscript-9.27-CVE-2023-28879.patch
Normal file
44
SOURCES/ghostscript-9.27-CVE-2023-28879.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ken Sharp <ken.sharp@artifex.com>
|
||||||
|
Date: Fri, 24 Mar 2023 13:19:57 +0000
|
||||||
|
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
|
||||||
|
|
||||||
|
Bug #706494 "Buffer Overflow in s_xBCPE_process"
|
||||||
|
|
||||||
|
As described in detail in the bug report, if the write buffer is filled
|
||||||
|
to one byte less than full, and we then try to write an escaped
|
||||||
|
character, we overrun the buffer because we don't check before
|
||||||
|
writing two bytes to it.
|
||||||
|
|
||||||
|
This just checks if we have two bytes before starting to write an
|
||||||
|
escaped character and exits if we don't (replacing the consumed byte
|
||||||
|
of the input).
|
||||||
|
|
||||||
|
Up for further discussion; why do we even permit a BCP encoding filter
|
||||||
|
anyway ? I think we should remove this, at least when SAFER is true.
|
||||||
|
---
|
||||||
|
base/sbcp.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/base/sbcp.c b/base/sbcp.c
|
||||||
|
index 979ae0992..47fc233ec 100644
|
||||||
|
--- a/base/sbcp.c
|
||||||
|
+++ b/base/sbcp.c
|
||||||
|
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
|
||||||
|
byte ch = *++p;
|
||||||
|
|
||||||
|
if (ch <= 31 && escaped[ch]) {
|
||||||
|
+ /* Make sure we have space to store two characters in the write buffer,
|
||||||
|
+ * if we don't then exit without consuming the input character, we'll process
|
||||||
|
+ * that on the next time round.
|
||||||
|
+ */
|
||||||
|
+ if (pw->limit - q < 2) {
|
||||||
|
+ p--;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
if (p == rlimit) {
|
||||||
|
p--;
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
27
SOURCES/ghostscript-9.27-CVE-2023-38559.patch
Normal file
27
SOURCES/ghostscript-9.27-CVE-2023-38559.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Chris Liddell <chris.liddell@artifex.com>
|
||||||
|
Date: Mon, 17 Jul 2023 14:06:37 +0100
|
||||||
|
Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
|
||||||
|
devices/gdevpcx.c
|
||||||
|
|
||||||
|
Bounds check the buffer, before dereferencing the pointer.
|
||||||
|
---
|
||||||
|
base/gdevdevn.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/base/gdevdevn.c b/base/gdevdevn.c
|
||||||
|
index 7b14d9c71..6351fb77a 100644
|
||||||
|
--- a/base/gdevdevn.c
|
||||||
|
+++ b/base/gdevdevn.c
|
||||||
|
@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
|
||||||
|
byte data = *from;
|
||||||
|
|
||||||
|
from += step;
|
||||||
|
- if (data != *from || from == end) {
|
||||||
|
+ if (from >= end || data != *from) {
|
||||||
|
if (data >= 0xc0)
|
||||||
|
putc(0xc1, file);
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
28
SOURCES/ghostscript-9.27-CVE-2023-4042.patch
Normal file
28
SOURCES/ghostscript-9.27-CVE-2023-4042.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From 2793769ff107d8d22dadd30c6e68cd781b569550 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julian Smith <jules@op59.net>
|
||||||
|
Date: Mon, 4 Nov 2019 12:30:33 +0000
|
||||||
|
Subject: [PATCH] Bug 701819: fixed ordering in if expression to avoid
|
||||||
|
out-of-bounds access.
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
./sanbin/gs -dBATCH -dNOPAUSE -r965 -sOutputFile=tmp -sDEVICE=pcx16 ../bug-701819.pdf
|
||||||
|
---
|
||||||
|
devices/gdevpcx.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/devices/gdevpcx.c b/devices/gdevpcx.c
|
||||||
|
index 1735851d2..91de4abb6 100644
|
||||||
|
--- a/devices/gdevpcx.c
|
||||||
|
+++ b/devices/gdevpcx.c
|
||||||
|
@@ -442,7 +442,7 @@ pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file)
|
||||||
|
byte data = *from;
|
||||||
|
|
||||||
|
from += step;
|
||||||
|
- if (data != *from || from == end) {
|
||||||
|
+ if (from >= end || data != *from) {
|
||||||
|
if (data >= 0xc0)
|
||||||
|
putc(0xc1, file);
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
63
SOURCES/ghostscript-9.27-fix-bbox.patch
Normal file
63
SOURCES/ghostscript-9.27-fix-bbox.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
diff -Napur ghostscript-9.27.old/base/fapi_ft.c ghostscript-9.27.new/base/fapi_ft.c
|
||||||
|
--- ghostscript-9.27.old/base/fapi_ft.c 2019-04-04 00:43:14.000000000 -0700
|
||||||
|
+++ ghostscript-9.27.new/base/fapi_ft.c 2023-03-07 16:41:56.217995052 -0800
|
||||||
|
@@ -974,13 +974,19 @@ make_rotation(FT_Matrix * a_transform, c
|
||||||
|
*/
|
||||||
|
static void
|
||||||
|
transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp,
|
||||||
|
- FT_Fixed * a_x_scale, FT_Fixed * a_y_scale)
|
||||||
|
+ FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM)
|
||||||
|
{
|
||||||
|
double scalex, scaley, fact = 1.0;
|
||||||
|
double factx = 1.0, facty = 1.0;
|
||||||
|
FT_Matrix ftscale_mat;
|
||||||
|
FT_UInt xres;
|
||||||
|
FT_UInt yres;
|
||||||
|
+ /* We have to account for units_per_EM as we fiddle with the scaling
|
||||||
|
+ * in order to avoid underflow (mostly in the TTF hinting code), but
|
||||||
|
+ * we also want to clamp to a lower value (512, admittedly arrived at
|
||||||
|
+ * via experimentation) in order to preserve the fidelity of the outlines.
|
||||||
|
+ */
|
||||||
|
+ double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0;
|
||||||
|
|
||||||
|
scalex = hypot((double)a_transform->xx, (double)a_transform->xy);
|
||||||
|
scaley = hypot((double)a_transform->yx, (double)a_transform->yy);
|
||||||
|
@@ -1067,10 +1073,25 @@ transform_decompose(FT_Matrix * a_transf
|
||||||
|
scalex *= fact;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex);
|
||||||
|
- ftscale_mat.xy = (FT_Fixed) 0;
|
||||||
|
- ftscale_mat.yx = (FT_Fixed) 0;
|
||||||
|
- ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley);
|
||||||
|
+ /* see above */
|
||||||
|
+ fact = 1.0;
|
||||||
|
+ while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0)
|
||||||
|
+ && (scalex > 0.0 && scaley > 0.0)) {
|
||||||
|
+ if (scaley < yres) {
|
||||||
|
+ xres >>= 1;
|
||||||
|
+ yres >>= 1;
|
||||||
|
+ fact *= 2.0;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ scalex /= 1.25;
|
||||||
|
+ scaley /= 1.25;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact);
|
||||||
|
+ ftscale_mat.xy = 0;
|
||||||
|
+ ftscale_mat.yx = 0;
|
||||||
|
+ ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact);
|
||||||
|
|
||||||
|
FT_Matrix_Multiply(a_transform, &ftscale_mat);
|
||||||
|
memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix));
|
||||||
|
@@ -1315,7 +1336,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_serve
|
||||||
|
* transform.
|
||||||
|
*/
|
||||||
|
transform_decompose(&face->ft_transform, &face->horz_res,
|
||||||
|
- &face->vert_res, &face->width, &face->height);
|
||||||
|
+ &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM);
|
||||||
|
|
||||||
|
ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height,
|
||||||
|
face->horz_res, face->vert_res);
|
@ -0,0 +1,106 @@
|
|||||||
|
From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Chris Liddell <chris.liddell@artifex.com>
|
||||||
|
Date: Wed, 15 Mar 2023 15:38:29 +0000
|
||||||
|
Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling
|
||||||
|
|
||||||
|
The PS interpreter callback that handles converting a CID to a TTF GID did
|
||||||
|
not handle the case of substituted CIDFonts.
|
||||||
|
|
||||||
|
It requires looking up the CID on the Decoding (to get a Unicode code point),
|
||||||
|
and then looking up the code point in the TTF cmap table to get the GID.
|
||||||
|
|
||||||
|
The rendering code already handled it.
|
||||||
|
---
|
||||||
|
psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++-------------------
|
||||||
|
1 file changed, 46 insertions(+), 27 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/psi/zfcid1.c b/psi/zfcid1.c
|
||||||
|
index fd502ff12..55de85d45 100644
|
||||||
|
--- a/psi/zfcid1.c
|
||||||
|
+++ b/psi/zfcid1.c
|
||||||
|
@@ -77,37 +77,56 @@
|
||||||
|
int gdbytes = pfont->cidata.common.GDBytes;
|
||||||
|
int gnum = 0;
|
||||||
|
const byte *data;
|
||||||
|
- int i, code;
|
||||||
|
+ int i, code = -1;
|
||||||
|
ref rcid;
|
||||||
|
ref *prgnum;
|
||||||
|
+ ref *p, *fdict = pfont_dict(pfont);
|
||||||
|
+
|
||||||
|
+ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) {
|
||||||
|
+ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type;
|
||||||
|
+ uint c;
|
||||||
|
+
|
||||||
|
+ code = dict_find_string(fdict, "Decoding", &Decoding);
|
||||||
|
+ if (code > 0)
|
||||||
|
+ code = dict_find_string(fdict, "TT_cmap", &TT_cmap);
|
||||||
|
+ if (code > 0)
|
||||||
|
+ code = dict_find_string(fdict, "SubstNWP", &SubstNWP);
|
||||||
|
+ if (code > 0) {
|
||||||
|
+ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type);
|
||||||
|
+ if (code >= 0)
|
||||||
|
+ gnum = c;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- switch (r_type(pcidmap)) {
|
||||||
|
- case t_string:
|
||||||
|
- if (cid >= r_size(pcidmap) / gdbytes)
|
||||||
|
- return_error(gs_error_rangecheck);
|
||||||
|
- data = pcidmap->value.const_bytes + cid * gdbytes;
|
||||||
|
- break;
|
||||||
|
- case t_integer:
|
||||||
|
- return cid + pcidmap->value.intval;
|
||||||
|
- case t_dictionary:
|
||||||
|
- make_int(&rcid, cid);
|
||||||
|
- code = dict_find(pcidmap, &rcid, &prgnum);
|
||||||
|
- if (code <= 0)
|
||||||
|
- return (code < 0 ? code : gs_note_error(gs_error_undefined));
|
||||||
|
- if (!r_has_type(prgnum, t_integer))
|
||||||
|
- return_error(gs_error_typecheck);
|
||||||
|
- return prgnum->value.intval;
|
||||||
|
- default: /* array type */
|
||||||
|
- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
|
||||||
|
- gdbytes, NULL, NULL, &data);
|
||||||
|
+ if (code < 0) {
|
||||||
|
+ switch (r_type(pcidmap)) {
|
||||||
|
+ case t_string:
|
||||||
|
+ if (cid >= r_size(pcidmap) / gdbytes)
|
||||||
|
+ return_error(gs_error_rangecheck);
|
||||||
|
+ data = pcidmap->value.const_bytes + cid * gdbytes;
|
||||||
|
+ break;
|
||||||
|
+ case t_integer:
|
||||||
|
+ return cid + pcidmap->value.intval;
|
||||||
|
+ case t_dictionary:
|
||||||
|
+ make_int(&rcid, cid);
|
||||||
|
+ code = dict_find(pcidmap, &rcid, &prgnum);
|
||||||
|
+ if (code <= 0)
|
||||||
|
+ return (code < 0 ? code : gs_note_error(gs_error_undefined));
|
||||||
|
+ if (!r_has_type(prgnum, t_integer))
|
||||||
|
+ return_error(gs_error_typecheck);
|
||||||
|
+ return prgnum->value.intval;
|
||||||
|
+ default: /* array type */
|
||||||
|
+ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
|
||||||
|
+ gdbytes, NULL, NULL, &data);
|
||||||
|
|
||||||
|
- if (code < 0)
|
||||||
|
- return code;
|
||||||
|
- if ( code > 0 )
|
||||||
|
- return_error(gs_error_invalidfont);
|
||||||
|
+ if (code < 0)
|
||||||
|
+ return code;
|
||||||
|
+ if ( code > 0 )
|
||||||
|
+ return_error(gs_error_invalidfont);
|
||||||
|
+ }
|
||||||
|
+ for (i = 0; i < gdbytes; ++i)
|
||||||
|
+ gnum = (gnum << 8) + data[i];
|
||||||
|
}
|
||||||
|
- for (i = 0; i < gdbytes; ++i)
|
||||||
|
- gnum = (gnum << 8) + data[i];
|
||||||
|
if (gnum >= pfont->data.trueNumGlyphs)
|
||||||
|
return_error(gs_error_invalidfont);
|
||||||
|
return gnum;
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -37,7 +37,7 @@
|
|||||||
Name: ghostscript
|
Name: ghostscript
|
||||||
Summary: Interpreter for PostScript language & PDF
|
Summary: Interpreter for PostScript language & PDF
|
||||||
Version: 9.27
|
Version: 9.27
|
||||||
Release: 6%{?dist}
|
Release: 11%{?dist}
|
||||||
|
|
||||||
License: AGPLv3+
|
License: AGPLv3+
|
||||||
|
|
||||||
@ -107,6 +107,11 @@ Patch014: ghostscript-cve-2020-16301.patch
|
|||||||
Patch015: ghostscript-9.27-fix-use-of-HWMargins.patch
|
Patch015: ghostscript-9.27-fix-use-of-HWMargins.patch
|
||||||
Patch016: ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch
|
Patch016: ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch
|
||||||
Patch017: ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch
|
Patch017: ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch
|
||||||
|
Patch018: ghostscript-9.27-fix-bbox.patch
|
||||||
|
Patch019: ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
|
||||||
|
Patch020: ghostscript-9.27-CVE-2023-28879.patch
|
||||||
|
Patch021: ghostscript-9.27-CVE-2023-38559.patch
|
||||||
|
Patch022: ghostscript-9.27-CVE-2023-4042.patch
|
||||||
|
|
||||||
|
|
||||||
# Downstream patches -- these should be always included when doing rebase:
|
# Downstream patches -- these should be always included when doing rebase:
|
||||||
@ -447,6 +452,26 @@ done
|
|||||||
# =============================================================================
|
# =============================================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-11
|
||||||
|
- fix for CVE-2023-4042
|
||||||
|
- Resolves: rhbz#2228153
|
||||||
|
|
||||||
|
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.27-10
|
||||||
|
- fix for CVE-2023-38559
|
||||||
|
- Resolves: rhbz#2224371
|
||||||
|
|
||||||
|
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.27-9
|
||||||
|
- fix for CVE-2023-28879
|
||||||
|
- Resolves: rhbz#2188297
|
||||||
|
|
||||||
|
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.27-8
|
||||||
|
- fix embedding of CIDFonts
|
||||||
|
- Resolves: rhbz#2169890
|
||||||
|
|
||||||
|
* Wed Mar 15 2023 Richard Lescak <rlescak@redhat.com> - 9.27-7
|
||||||
|
- fix bbox device calculating bounding box incorrectly
|
||||||
|
- Resolves: rhbz#2176327
|
||||||
|
|
||||||
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.27-6
|
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.27-6
|
||||||
- set the page size for A4 correctly in ESC/Page driver
|
- set the page size for A4 correctly in ESC/Page driver
|
||||||
- Resolves: rhbz#2164603
|
- Resolves: rhbz#2164603
|
||||||
|
Loading…
Reference in New Issue
Block a user