rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths

Browse Source 
Resolves: RHEL-44771
This commit is contained in:
Zdenek Dohnal 2024-07-11 17:51:48 +02:00
parent 65e57c11de
commit a6cfa19a60
2 changed files with 100 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
0001-Bug-707686.patch Normal file
View File

@ -0,0 +1,94 @@
From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Tue, 26 Mar 2024 12:00:14 +0000
Subject: [PATCH] Bug #707686
See bug thread for details
In addition to the noted bug; an error path (return from
gp_file_name_reduce not successful) could elad to a memory leak as we
did not free 'bufferfull'. Fix that too.
This addresses CVE-2024-33870
---
base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 2b0064bea..c4a69b03a 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
const uint len,
const char *mode)
{
- char *buffer, *bufferfull;
+ char *buffer, *bufferfull = NULL;
uint rlen;
int code = 0;
const char *cdirstr = gp_file_name_current();
@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem,
return gs_error_VMerror;
buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
buffer[rlen] = 0;
}
while (1) {
@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem,
code = gs_note_error(gs_error_invalidfileaccess);
}
if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
+ uint newlen = rlen + cdirstrl + dirsepstrl;
+ char *newbuffer;
+ int code;
+
buffer = bufferfull;
memcpy(buffer, cdirstr, cdirstrl);
memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
+
+ /* We've prepended a './' or similar for the current working directory. We need
+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
+ * the (new) full path.
+ */
+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
+ if (newbuffer == NULL) {
+ code = gs_note_error(gs_error_VMerror);
+ goto exit;
+ }
+
+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
+ newbuffer[newlen] = 0x00;
+
+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
+ if (code != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+
continue;
}
else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem,
gs_path_control_flag_is_scratch_file);
}
+exit:
gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
#ifdef EACCES
if (code == gs_error_invalidfileaccess)
--
2.45.2

7
ghostscript.spec
View File

@ -45,7 +45,7 @@
Name: ghostscript Name: ghostscript
Summary: Interpreter for PostScript language & PDF Summary: Interpreter for PostScript language & PDF
Version: 10.02.1 Version: 10.02.1
Release: 11%{?dist} Release: 12%{?dist}
License: AGPL-3.0-or-later License: AGPL-3.0-or-later
@ -115,6 +115,8 @@ Patch: 0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch
Patch: 0001-X-device-fix-compiler-warning.patch Patch: 0001-X-device-fix-compiler-warning.patch
# RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library # RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch
# RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
Patch: 0001-Bug-707686.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -431,6 +433,9 @@ done
# ============================================================================= # =============================================================================
%changelog %changelog
* Thu Jul 11 2024 Zdenek Dohnal <zdohnal@redhat.com> - 10.02.1-12
- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 10.02.1-11 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 10.02.1-11
- Bump release for June 2024 mass rebuild - Bump release for June 2024 mass rebuild