rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL-67053 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript

Browse Source 
Resolves: RHEL-67053
This commit is contained in:
Zdenek Dohnal 2025-04-16 12:36:35 +02:00
parent 335a631ca9
commit dc9023cd29
2 changed files with 73 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
0001-Bug-707793-Check-for-overflow-validating-format-stri.patch Normal file
View File

@ -0,0 +1,67 @@
From 1f21a45df0fa3abec4cff12951022b192dda3c00 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 27 May 2024 13:38:36 +0100
Subject: [PATCH] Bug 707793: Check for overflow validating format string
for the output file name
CVE-2024-46953
---
base/gsdevice.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/base/gsdevice.c b/base/gsdevice.c
index 90e699ab4..49354d833 100644
--- a/base/gsdevice.c
+++ b/base/gsdevice.c
@@ -1070,7 +1070,7 @@ static int
gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
{
bool have_format = false, field;
- int width[2], int_width = sizeof(int) * 3, w = 0;
+ uint width[2], int_width = sizeof(int) * 3, w = 0;
uint i;
/* Scan the file name for a format string, and validate it if present. */
@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
default: /* width (field = 0) and precision (field = 1) */
if (strchr("0123456789", pfn->fname[i])) {
width[field] = width[field] * 10 + pfn->fname[i] - '0';
+ if (width[field] > max_int)
+ return_error(gs_error_undefinedfilename);
continue;
} else if (0 == field && '.' == pfn->fname[i]) {
field++;
@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
/* Calculate a conservative maximum width. */
w = max(width[0], width[1]);
w = max(w, int_width) + 5;
+ if (w > max_int)
+ return_error(gs_error_undefinedfilename);
}
- return w;
+ return (int)w;
}
/*
@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt,
if (!pfn->fname)
return 0;
code = gx_parse_output_format(pfn, pfmt);
- if (code < 0)
+ if (code < 0) {
return code;
- if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
+ }
+
+ if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
+ code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
return_error(gs_error_undefinedfilename);
+ }
+
return 0;
}
--
2.49.0

8
ghostscript.spec
View File

@ -130,8 +130,11 @@ Patch017: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
# RHEL-67053 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding # RHEL-67053 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
# implementing decode_utf8() https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=4fcf527584da2053 # implementing decode_utf8() https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=4fcf527584da2053
# CVE fix, updated for gp_wutf8() in 9.27 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=282f691f5e57b6b # CVE fix, updated for gp_wutf8() in 9.27 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=282f691f5e57b6b
Patch031: 0001-Bug-705911-Fix-Ghostscript-s-encoding-decoding-of-UT.patch Patch018: 0001-Bug-705911-Fix-Ghostscript-s-encoding-decoding-of-UT.patch
Patch032: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch Patch019: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch
# RHEL-67053 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec
Patch020: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -469,6 +472,7 @@ done
- RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable() - RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable()
- RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space - RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
- RHEL-67053 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding - RHEL-67053 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
- RHEL-67053 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
* Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17 * Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
- RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths - RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths