RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library

Resolves: RHEL-38839
fix for CVE-2023-43115
2024-06-20 09:39:37 +02:00 · 2023-10-27 13:38:37 +02:00
3 changed files with 93 additions and 1 deletions
--- a/ghostscript-9.54.0-CVE-2023-43115.patch
+++ b/ghostscript-9.54.0-CVE-2023-43115.patch
@ -0,0 +1,21 @@
+--- a/devices/gdevijs.c
+++ b/devices/gdevijs.c
+@@ -934,6 +934,9 @@
+     static const char rgb[] = "DeviceRGB";
+     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ 
+    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
+        return_error(gs_error_invalidaccess);
+
+     code = gx_default_finish_copydevice(dev, from_dev);
+     if(code < 0)
+         return code;
+@@ -1363,7 +1366,7 @@
+     if (code >= 0)
+         code = gsijs_read_string(plist, "IjsServer",
+             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-            dev->LockSafetyParams, is_open);
+            ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+ 
+     if (code >= 0)
+         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -42,7 +42,7 @@
 Name:             ghostscript
 Summary:          Interpreter for PostScript language & PDF
 Version:          9.54.0
-Release:          13%{?dist}
+Release:          16%{?dist}

 License:          AGPLv3+

@ -112,6 +112,9 @@ Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
 Patch008: ghostscript-9.54.0-CVE-2023-28879.patch
 Patch009: ghostscript-9.54.0-CVE-2023-36664.patch
 Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
+Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
+# RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
+Patch012: gs-cve-2024-33871.patch

 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@ -445,6 +448,12 @@ done
 # =============================================================================

 %changelog
+* Thu Jun 20 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
+- RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
+
+* Fri Oct 27 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-14
+- fix for CVE-2023-43115
+- Resolves: RHEL-10185

 * Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-13
 - fix for CVE-2023-38559
--- a/gs-cve-2024-33871.patch
+++ b/gs-cve-2024-33871.patch
@ -0,0 +1,62 @@
+diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
+index 70475ad..013a497 100644
+--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
+@@ -185,7 +185,7 @@ static  int opvp_copy_color(gx_device *, const byte *, int, int,
+ static  int _get_params(gs_param_list *);
+ static  int opvp_get_params(gx_device *, gs_param_list *);
+ static  int oprp_get_params(gx_device *, gs_param_list *);
+-static  int _put_params(gs_param_list *);
+static  int _put_params(gx_device *, gs_param_list *);
+ static  int opvp_put_params(gx_device *, gs_param_list *);
+ static  int oprp_put_params(gx_device *, gs_param_list *);
+ static  int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
+@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist)
+     /* vector driver name */
+     pname = "Driver";
+     vdps.data = (byte *)vectorDriver;
+-    vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
+    vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
+     vdps.persistent = false;
+     code = param_write_string(plist, pname, &vdps);
+     if (code) ecode = code;
+@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
+  * put params
+  */
+ static  int
+-_put_params(gs_param_list *plist)
+_put_params(gx_device *dev, gs_param_list *plist)
+ {
+     int code;
+     int ecode = 0;
+@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist)
+     code = param_read_string(plist, pname, &vdps);
+     switch (code) {
+     case 0:
+        if (gs_is_path_control_active(dev->memory)
+            && (!vectorDriver || strlen(vectorDriver) != vdps.size
+                || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
+            param_signal_error(plist, pname, gs_error_invalidaccess);
+            return_error(gs_error_invalidaccess);
+        }
+         buff = realloc(buff, vdps.size + 1);
+         memcpy(buff, vdps.data, vdps.size);
+         buff[vdps.size] = 0;
+@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
+     int code;
+ 
+     /* put params */
+-    code = _put_params(plist);
+    code = _put_params(dev, plist);
+     if (code) return code;
+ 
+     /* put default params */
+@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
+     int code;
+ 
+     /* put params */
+-    code = _put_params(plist);
+    code = _put_params(dev, plist);
+     if (code) return code;
+ 
+     /* put default params */
Author	SHA1	Message	Date
Zdenek Dohnal	ff4cadb808	RHEL-38839 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library Resolves: RHEL-38839	2024-06-20 09:39:37 +02:00
Richard Lescak	30d270974d	fix for CVE-2023-43115 Resolves: RHEL-10185	2023-10-27 13:38:37 +02:00