RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction

Resolves: RHEL-44745
This commit is contained in:
Zdenek Dohnal 2024-07-09 18:42:05 +02:00
parent b2e75ddbf9
commit a016b58d65
2 changed files with 46 additions and 0 deletions

View File

@ -117,6 +117,8 @@ Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
Patch012: gs-cve-2024-33871.patch Patch012: gs-cve-2024-33871.patch
# RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths # RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
Patch013: gs-CVE-2024-33870.patch Patch013: gs-CVE-2024-33870.patch
# RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
Patch014: gs-CVE-2024-33869.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -452,6 +454,7 @@ done
%changelog %changelog
* Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17 * Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
- RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths - RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
- RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
* Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16 * Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
- RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library - RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library

43
gs-CVE-2024-33869.patch Normal file
View File

@ -0,0 +1,43 @@
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 2b43f89..186d9b7 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem,
rlen = len;
}
else {
+ char *test = (char *)path, *test1;
+ uint tlen = len, slen;
+
+ /* Look for any pipe (%pipe% or '|' specifications between path separators
+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
+ */
+ while (tlen > 0) {
+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+ test1 = test;
+ slen = search_separator((const char **)&test, path + len, test1, 1);
+ if(slen == 0)
+ break;
+ test += slen;
+ tlen -= test - test1;
+ if (test >= path + len)
+ break;
+ }
+
rlen = len+1;
bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
if (bufferfull == NULL)
@@ -1163,8 +1184,8 @@ gp_validate_path_len(const gs_memory_t *mem,
continue;
}
- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
- buffer = bufferfull + cdirstrl + dirsepstrl;
+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
continue;
}
break;