From a016b58d652d53ddceb8b9a4e3b8c0a01c78b619 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Tue, 9 Jul 2024 18:42:05 +0200
Subject: [PATCH] RHEL-44745 CVE-2024-33869 ghostscript: path traversal and
 command execution due to path reduction

Resolves: RHEL-44745
---
 ghostscript.spec        |  3 +++
 gs-CVE-2024-33869.patch | 43 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 gs-CVE-2024-33869.patch

diff --git a/ghostscript.spec b/ghostscript.spec
index e8621ce..78ae134 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -117,6 +117,8 @@ Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
 Patch012: gs-cve-2024-33871.patch
 # RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
 Patch013: gs-CVE-2024-33870.patch
+# RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
+Patch014: gs-CVE-2024-33869.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -452,6 +454,7 @@ done
 %changelog
 * Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
 - RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
+- RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
 
 * Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
 - RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
diff --git a/gs-CVE-2024-33869.patch b/gs-CVE-2024-33869.patch
new file mode 100644
index 0000000..e429078
--- /dev/null
+++ b/gs-CVE-2024-33869.patch
@@ -0,0 +1,43 @@
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 2b43f89..186d9b7 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem,
+         rlen = len;
+     }
+     else {
++        char *test = (char *)path, *test1;
++        uint tlen = len, slen;
++
++        /* Look for any pipe (%pipe% or '|' specifications between path separators
++         * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
++         */
++        while (tlen > 0) {
++            if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
++                code = gs_note_error(gs_error_invalidfileaccess);
++                goto exit;
++            }
++            test1 = test;
++            slen = search_separator((const char **)&test, path + len, test1, 1);
++            if(slen == 0)
++                break;
++            test += slen;
++            tlen -= test - test1;
++            if (test >= path + len)
++                break;
++        }
++
+         rlen = len+1;
+         bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+         if (bufferfull == NULL)
+@@ -1163,8 +1184,8 @@ gp_validate_path_len(const gs_memory_t *mem,
+ 
+             continue;
+         }
+-        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
+-            buffer = bufferfull + cdirstrl + dirsepstrl;
++        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
++            && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
+             continue;
+         }
+         break;