CVE-2023-4504 libppd: Postscript Parsing Heap Overflow

2023-09-20 17:06:51 +02:00 · 2023-09-20 17:06:51 +02:00 · 719bc77110
commit 719bc77110
parent 0d2377cf37
2 changed files with 47 additions and 1 deletions
--- a/0001-raster-interpret.c-Fix-CVE-2023-4504.patch
+++ b/0001-raster-interpret.c-Fix-CVE-2023-4504.patch
@ -0,0 +1,41 @@
+From 262c909ac5b8676d1c221584c5a760e5e83fae66 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 4 Sep 2023 17:07:14 +0200
+Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
+
+We didn't check for end of buffer if it looks there is an escaped
+character - check for NULL terminator there and if found, return NULL
+as return value and in `ptr`, because a lone backslash is not
+a valid PostScript character.
+---
+ ppd/raster-interpret.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/ppd/raster-interpret.c b/ppd/raster-interpret.c
+index 91f6c0d3..d120d2fc 100644
+--- a/ppd/raster-interpret.c
+++ b/ppd/raster-interpret.c
+@@ -1270,7 +1270,19 @@ ppd_scan_ps(_ppd_ps_stack_t  *st,	// I  - Stack
+ 
+ 	    cur ++;
+ 
+-            if (*cur == 'b')
+	   /*
+	    * Return NULL if we reached NULL terminator, a lone backslash
+            * is not a valid character in PostScript.
+	    */
+
+	    if (!*cur)
+	    {
+	      *ptr = NULL;
+
+	      return (NULL);
+	    }
+
+	    if (*cur == 'b')
+ 	      *valptr++ = '\b';
+ 	    else if (*cur == 'f')
+ 	      *valptr++ = '\f';
+-- 
+2.41.0
+
--- a/libppd.spec
+++ b/libppd.spec
@ -8,7 +8,7 @@
 Name:           libppd
 Epoch:          1
 Version:        2.0~rc2
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Library for retro-fitting legacy printer drivers

 # the CUPS exception text is the same as LLVM exception, so using that name with
@ -26,6 +26,8 @@ Patch0001: libppd-disable-testppdfile.patch
 Patch0002: 0001-ppd-ppd-ipp.c-Use-make-when-constructing-printer-mak.patch
 # https://github.com/OpenPrinting/libppd/commit/30b35cc751bc312a1f82db849b1c80dbd8d32aa4
 Patch0003: 0001-Decode-JCLToPDFInterpreter-value-in-ppdEmitJCLPDF.patch
+# https://github.com/OpenPrinting/libppd/commit/262c909ac5
+Patch0004: 0001-raster-interpret.c-Fix-CVE-2023-4504.patch


 # for autogen.sh
@ -198,6 +200,9 @@ rm -rf %{buildroot}%{_datadir}/ppdc
 %endif

 %changelog
+* Wed Sep 20 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc2-4
+- CVE-2023-4504 libppd: Postscript Parsing Heap Overflow
+
 * Tue Aug 08 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc2-3
 - fix printing for PDF+PJL drivers