diff --git a/0001-Uniprint-device-prevent-string-configuration-changes.patch b/0001-Uniprint-device-prevent-string-configuration-changes.patch new file mode 100644 index 0000000..0adbfa6 --- /dev/null +++ b/0001-Uniprint-device-prevent-string-configuration-changes.patch @@ -0,0 +1,79 @@ +From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 21 Mar 2024 09:01:15 +0000 +Subject: [PATCH] Uniprint device - prevent string configuration changes when + SAFER + +Bug #707662 + +We cannot sanitise the string arguments used by the Uniprint device +because they can potentially include anything. + +This commit ensures that these strings are locked and cannot be +changed by PostScript once SAFER is activated. Full configuration from +the command line is still possible (see the *.upp files in lib). + +This addresses CVE-2024-29510 +--- + devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index c9389e7bc..016a9260a 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1891,6 +1891,16 @@ out on this copies. + if(!upd_strings[i]) continue; + UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (strings[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRINGS; + UPD_MM_DEL_PARAM(udev->memory, strings[i]); + if(!value.size) { +@@ -1908,6 +1918,26 @@ out on this copies. + if(!upd_string_a[i]) continue; + UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (string_a[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ int loop; ++ for (loop = 0;loop < string_a[i].size;loop++) { ++ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]); ++ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop]; ++ ++ if (tmp1->size != tmp2->size) ++ error = gs_error_invalidaccess; ++ else { ++ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ } ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRING_A; + UPD_MM_DEL_APARAM(udev->memory, string_a[i]); + if(!value.size) { +@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may + if(0 > code) error = code; + } + ++exit: + if(0 < error) { /* Actually something loaded without error */ + + if(!(upd = udev->upd)) { +-- +2.45.2 + diff --git a/ghostscript.spec b/ghostscript.spec index 78ae134..1b85ad2 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -119,6 +119,8 @@ Patch012: gs-cve-2024-33871.patch Patch013: gs-CVE-2024-33870.patch # RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction Patch014: gs-CVE-2024-33869.patch +# RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass) +Patch015: 0001-Uniprint-device-prevent-string-configuration-changes.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -455,6 +457,7 @@ done * Mon Jul 08 2024 Zdenek Dohnal - 9.54.0-17 - RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths - RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction +- RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass) * Thu Jun 20 2024 Zdenek Dohnal - 9.54.0-16 - RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library