From f2d4b6331afeb4ac2b15eb05bf52981fbf306c81 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 14:55:00 +0000 Subject: [PATCH] import UBI ghostscript-9.54.0-19.el9_6 --- ...-integer-overflow-leading-to-buffer-.patch | 41 +++++++++++++++++++ SPECS/ghostscript.spec | 8 +++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch diff --git a/SOURCES/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch b/SOURCES/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch new file mode 100644 index 0000000..09f9b86 --- /dev/null +++ b/SOURCES/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch @@ -0,0 +1,41 @@ +From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: [PATCH] Bug 708133: Avoid integer overflow leading to buffer overflow + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf..4967282bd 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +2.49.0 + diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index 6f4aa5f..08993b7 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -42,7 +42,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.54.0 -Release: 18%{?dist} +Release: 19%{?dist} License: AGPLv3+ @@ -138,6 +138,9 @@ Patch020: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch # RHEL-67053 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3 Patch021: 0001-PostScript-interpreter-fix-buffer-length-check.patch +# RHEL-88966 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow +# https://github.com/ArtifexSoftware/ghostpdl/commit/57291c84633 +Patch022: 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -471,6 +474,9 @@ done # ============================================================================= %changelog +* Wed May 07 2025 Zdenek Dohnal - 9.54.0-19 +- RHEL-88966 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow + * Tue Apr 15 2025 Zdenek Dohnal - 9.54.0-18 - RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable() - RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space