diff --git a/ghostscript.spec b/ghostscript.spec index ab991d2..e8621ce 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -42,7 +42,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.54.0 -Release: 16%{?dist} +Release: 17%{?dist} License: AGPLv3+ @@ -115,6 +115,8 @@ Patch010: ghostscript-9.54.0-CVE-2023-38559.patch Patch011: ghostscript-9.54.0-CVE-2023-43115.patch # RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library Patch012: gs-cve-2024-33871.patch +# RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths +Patch013: gs-CVE-2024-33870.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -448,6 +450,9 @@ done # ============================================================================= %changelog +* Mon Jul 08 2024 Zdenek Dohnal - 9.54.0-17 +- RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths + * Thu Jun 20 2024 Zdenek Dohnal - 9.54.0-16 - RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library diff --git a/gs-CVE-2024-33870.patch b/gs-CVE-2024-33870.patch new file mode 100644 index 0000000..ff47ee1 --- /dev/null +++ b/gs-CVE-2024-33870.patch @@ -0,0 +1,69 @@ +diff --git a/base/gpmisc.c b/base/gpmisc.c +index f9a9230..2b43f89 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, + const uint len, + const char *mode) + { +- char *buffer, *bufferfull; ++ char *buffer, *bufferfull = NULL; + uint rlen; + int code = 0; + const char *cdirstr = gp_file_name_current(); +@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem, + return gs_error_VMerror; + + buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } + buffer[rlen] = 0; + } + while (1) { +@@ -1131,9 +1133,34 @@ gp_validate_path_len(const gs_memory_t *mem, + code = gs_note_error(gs_error_invalidfileaccess); + } + if (code < 0 && prefix_len > 0 && buffer > bufferfull) { ++ uint newlen = rlen + cdirstrl + dirsepstrl; ++ char *newbuffer; ++ int code; ++ + buffer = bufferfull; + memcpy(buffer, cdirstr, cdirstrl); + memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); ++ ++ /* We've prepended a './' or similar for the current working directory. We need ++ * to execute file_name_reduce on that, to eliminate any '../' or similar from ++ * the (new) full path. ++ */ ++ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); ++ if (newbuffer == NULL) { ++ code = gs_note_error(gs_error_VMerror); ++ goto exit; ++ } ++ ++ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); ++ newbuffer[newlen] = 0x00; ++ ++ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); ++ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); ++ if (code != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ + continue; + } + else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +@@ -1152,6 +1179,7 @@ gp_validate_path_len(const gs_memory_t *mem, + gs_path_control_flag_is_scratch_file); + } + ++exit: + gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); + #ifdef EACCES + if (code == gs_error_invalidfileaccess)