rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)

Browse Source 
Resolves: RHEL-44731
This commit is contained in:
Zdenek Dohnal 2024-07-09 19:13:25 +02:00
parent a016b58d65
commit 97174c7d75
2 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
0001-Uniprint-device-prevent-string-configuration-changes.patch Normal file
View File

@ -0,0 +1,79 @@
From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 21 Mar 2024 09:01:15 +0000
Subject: [PATCH] Uniprint device - prevent string configuration changes when
SAFER
Bug #707662
We cannot sanitise the string arguments used by the Uniprint device
because they can potentially include anything.
This commit ensures that these strings are locked and cannot be
changed by PostScript once SAFER is activated. Full configuration from
the command line is still possible (see the *.upp files in lib).
This addresses CVE-2024-29510
---
devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index c9389e7bc..016a9260a 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1891,6 +1891,16 @@ out on this copies.
if(!upd_strings[i]) continue;
UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (strings[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRINGS;
UPD_MM_DEL_PARAM(udev->memory, strings[i]);
if(!value.size) {
@@ -1908,6 +1918,26 @@ out on this copies.
if(!upd_string_a[i]) continue;
UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (string_a[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ int loop;
+ for (loop = 0;loop < string_a[i].size;loop++) {
+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+ if (tmp1->size != tmp2->size)
+ error = gs_error_invalidaccess;
+ else {
+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ }
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRING_A;
UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
if(!value.size) {
@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may
if(0 > code) error = code;
}
+exit:
if(0 < error) { /* Actually something loaded without error */
if(!(upd = udev->upd)) {
--
2.45.2

3
ghostscript.spec
View File

@ -119,6 +119,8 @@ Patch012: gs-cve-2024-33871.patch
Patch013: gs-CVE-2024-33870.patch
# RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
Patch014: gs-CVE-2024-33869.patch
# RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
Patch015: 0001-Uniprint-device-prevent-string-configuration-changes.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
@ -455,6 +457,7 @@ done
* Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
- RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
- RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
- RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
* Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
- RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library