From 985ef6b61d5ca17dc31e7363181f12f7fb3118e7 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 16 Apr 2025 13:12:40 +0200 Subject: [PATCH] RHEL-15067 CVE-2020-27792 ghostscript: heap buffer over write vulnerability in GhostScript's lp8000_print_page() in gdevlp8k.c Resolves: RHEL-15067 --- ...-output-buffer-size-worst-case-in-lp.patch | 31 +++++++++++++++++++ ghostscript.spec | 3 ++ 2 files changed, 34 insertions(+) create mode 100644 0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch diff --git a/0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch b/0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch new file mode 100644 index 0000000..07b5391 --- /dev/null +++ b/0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch @@ -0,0 +1,31 @@ +From 4f6bc662909ab79e8fbe9822afb36e8a0eafc2b7 Mon Sep 17 00:00:00 2001 +From: Julian Smith +Date: Wed, 6 Nov 2019 12:41:28 +0000 +Subject: [PATCH] Bug 701844: fixed output buffer size worst case in + lp8000_print_page(). + +Fixes: + ./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -dFIXEDMEDIA -sPAPERSIZE=legal -sOutputFile=tmp -sDEVICE=lp8000 ../bug-701844.pdf +--- + devices/gdevlp8k.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/devices/gdevlp8k.c b/devices/gdevlp8k.c +index 0a9bc03c8..55af94df0 100644 +--- a/devices/gdevlp8k.c ++++ b/devices/gdevlp8k.c +@@ -185,7 +185,10 @@ lp8000_print_page(gx_device_printer *pdev, gp_file *prn_stream) + unsigned int report_size; + + byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "lp8000_print_page(buf1)"); +- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "lp8000_print_page(buf2)"); ++ ++ /* Worst case for rle compression below is 3 bytes for each 2 bytes of ++ input, with extra final byte. */ ++ byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size * 3 / 2 + 2, 1, "lp8000_print_page(buf2)"); + byte *in = buf1; + byte *out = buf2; + +-- +2.49.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 7dbd8d6..dd770ef 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -135,6 +135,8 @@ Patch027: 0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch Patch028: gs-CVE-2023-46751.patch # RHEL-67046 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space Patch029: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch +# RHEL-15067 CVE-2020-27792 ghostscript: heap buffer over write vulnerability in GhostScript's lp8000_print_page() in gdevlp8k.c +Patch030: 0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch # Downstream patches -- these should be always included when doing rebase: @@ -478,6 +480,7 @@ done * Tue Apr 15 2025 Zdenek Dohnal - 9.27-16 - RHEL-18396 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable() - RHEL-67046 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space +- RHEL-15067 CVE-2020-27792 ghostscript: heap buffer over write vulnerability in GhostScript's lp8000_print_page() in gdevlp8k.c * Mon Oct 14 2024 Zdenek Dohnal - 9.27-15 - fix printing PCL XL on some printers