import UBI ghostscript-9.54.0-19.el9_6

2025-05-14 14:55:00 +00:00 · 2025-05-14 14:55:00 +00:00 · f2d4b6331a
commit f2d4b6331a
parent 4a814250c4
2 changed files with 48 additions and 1 deletions
--- a/SOURCES/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch
+++ b/SOURCES/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch
@ -0,0 +1,41 @@
 From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001
 From: Zdenek Hutyra <zhutyra@centrum.cz>
 Date: Wed, 20 Nov 2024 11:42:31 +0000
 Subject: [PATCH] Bug 708133: Avoid integer overflow leading to buffer overflow
 The calculation of the buffer size was being done with int values, and
 overflowing that data type. By leaving the total size calculation to the
 memory manager, the calculation ends up being done in size_t values, and
 avoiding the overflow in this case, but also meaning the memory manager
 overflow protection will be effective.
 CVE-2025-27832
 ---
 contrib/japanese/gdevnpdl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
 index 60065bacf..4967282bd 100644
 --- a/contrib/japanese/gdevnpdl.c
 +++ b/contrib/japanese/gdevnpdl.c
@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
     int code;
     int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
 -    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
 +    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
         return_error(gs_error_VMerror);
         /* Initialize printer */
@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
     /* Form Feed */
     gp_fputs("\014", prn_stream);
 -    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
 +    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
     return 0;
 }
 -- 
 2.49.0
--- a/SPECS/ghostscript.spec
+++ b/SPECS/ghostscript.spec
@ -42,7 +42,7 @@
 Name:             ghostscript
 Summary:          Interpreter for PostScript language & PDF
 Version:          9.54.0
-Release:          18%{?dist}
+Release:          19%{?dist}
 License:          AGPLv3+
@ -138,6 +138,9 @@ Patch020: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch
 # RHEL-67053 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution
 # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3
 Patch021: 0001-PostScript-interpreter-fix-buffer-length-check.patch
 # RHEL-88966 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow
 # https://github.com/ArtifexSoftware/ghostpdl/commit/57291c84633
 Patch022: 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@ -471,6 +474,9 @@ done
 # =============================================================================
 %changelog
 * Wed May 07 2025 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-19
 - RHEL-88966 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow
 * Tue Apr 15 2025 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-18
 - RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable()
 - RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space