RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
Resolves: RHEL-44745
This commit is contained in:
		
							parent
							
								
									b2e75ddbf9
								
							
						
					
					
						commit
						a016b58d65
					
				| @ -117,6 +117,8 @@ Patch011: ghostscript-9.54.0-CVE-2023-43115.patch | ||||
| Patch012: gs-cve-2024-33871.patch | ||||
| # RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths | ||||
| Patch013: gs-CVE-2024-33870.patch | ||||
| # RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction | ||||
| Patch014: gs-CVE-2024-33869.patch | ||||
| 
 | ||||
| # Downstream patches -- these should be always included when doing rebase: | ||||
| # ------------------ | ||||
| @ -452,6 +454,7 @@ done | ||||
| %changelog | ||||
| * Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17 | ||||
| - RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths | ||||
| - RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction | ||||
| 
 | ||||
| * Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16 | ||||
| - RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library | ||||
|  | ||||
							
								
								
									
										43
									
								
								gs-CVE-2024-33869.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								gs-CVE-2024-33869.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,43 @@ | ||||
| diff --git a/base/gpmisc.c b/base/gpmisc.c
 | ||||
| index 2b43f89..186d9b7 100644
 | ||||
| --- a/base/gpmisc.c
 | ||||
| +++ b/base/gpmisc.c
 | ||||
| @@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem,
 | ||||
|          rlen = len; | ||||
|      } | ||||
|      else { | ||||
| +        char *test = (char *)path, *test1;
 | ||||
| +        uint tlen = len, slen;
 | ||||
| +
 | ||||
| +        /* Look for any pipe (%pipe% or '|' specifications between path separators
 | ||||
| +         * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
 | ||||
| +         */
 | ||||
| +        while (tlen > 0) {
 | ||||
| +            if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
 | ||||
| +                code = gs_note_error(gs_error_invalidfileaccess);
 | ||||
| +                goto exit;
 | ||||
| +            }
 | ||||
| +            test1 = test;
 | ||||
| +            slen = search_separator((const char **)&test, path + len, test1, 1);
 | ||||
| +            if(slen == 0)
 | ||||
| +                break;
 | ||||
| +            test += slen;
 | ||||
| +            tlen -= test - test1;
 | ||||
| +            if (test >= path + len)
 | ||||
| +                break;
 | ||||
| +        }
 | ||||
| +
 | ||||
|          rlen = len+1; | ||||
|          bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); | ||||
|          if (bufferfull == NULL) | ||||
| @@ -1163,8 +1184,8 @@ gp_validate_path_len(const gs_memory_t *mem,
 | ||||
|   | ||||
|              continue; | ||||
|          } | ||||
| -        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
 | ||||
| -            buffer = bufferfull + cdirstrl + dirsepstrl;
 | ||||
| +        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
 | ||||
| +            && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
 | ||||
|              continue; | ||||
|          } | ||||
|          break; | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user