From ff4cadb8089778a492e1068bce3592613c48cc4e Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Thu, 20 Jun 2024 09:39:37 +0200 Subject: [PATCH] RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library Resolves: RHEL-38839 --- ghostscript.spec | 7 ++++- gs-cve-2024-33871.patch | 62 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 gs-cve-2024-33871.patch diff --git a/ghostscript.spec b/ghostscript.spec index 55f161e..ab991d2 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -42,7 +42,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.54.0 -Release: 14%{?dist} +Release: 16%{?dist} License: AGPLv3+ @@ -113,6 +113,8 @@ Patch008: ghostscript-9.54.0-CVE-2023-28879.patch Patch009: ghostscript-9.54.0-CVE-2023-36664.patch Patch010: ghostscript-9.54.0-CVE-2023-38559.patch Patch011: ghostscript-9.54.0-CVE-2023-43115.patch +# RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library +Patch012: gs-cve-2024-33871.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -446,6 +448,9 @@ done # ============================================================================= %changelog +* Thu Jun 20 2024 Zdenek Dohnal - 9.54.0-16 +- RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library + * Fri Oct 27 2023 Richard Lescak - 9.54.0-14 - fix for CVE-2023-43115 - Resolves: RHEL-10185 diff --git a/gs-cve-2024-33871.patch b/gs-cve-2024-33871.patch new file mode 100644 index 0000000..1118715 --- /dev/null +++ b/gs-cve-2024-33871.patch @@ -0,0 +1,62 @@ +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index 70475ad..013a497 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int, + static int _get_params(gs_param_list *); + static int opvp_get_params(gx_device *, gs_param_list *); + static int oprp_get_params(gx_device *, gs_param_list *); +-static int _put_params(gs_param_list *); ++static int _put_params(gx_device *, gs_param_list *); + static int opvp_put_params(gx_device *, gs_param_list *); + static int oprp_put_params(gx_device *, gs_param_list *); + static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *, +@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist) + /* vector driver name */ + pname = "Driver"; + vdps.data = (byte *)vectorDriver; +- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0); ++ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0); + vdps.persistent = false; + code = param_write_string(plist, pname, &vdps); + if (code) ecode = code; +@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist) + * put params + */ + static int +-_put_params(gs_param_list *plist) ++_put_params(gx_device *dev, gs_param_list *plist) + { + int code; + int ecode = 0; +@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!vectorDriver || strlen(vectorDriver) != vdps.size ++ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buff[vdps.size] = 0; +@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist) + int code; + + /* put params */ +- code = _put_params(plist); ++ code = _put_params(dev, plist); + if (code) return code; + + /* put default params */ +@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist) + int code; + + /* put params */ +- code = _put_params(plist); ++ code = _put_params(dev, plist); + if (code) return code; + + /* put default params */