Projects
openEuler:24.03
ghostscript
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 10
View file
_service:tar_scm:ghostscript.spec
Changed
@@ -9,7 +9,7 @@ Name: ghostscript Version: 9.56.1 -Release: 3 +Release: 5 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -40,6 +40,11 @@ # see https://bugs.ghostscript.com/show_bug.cgi?id=701819 Patch103: CVE-2023-38559.patch Patch104: backport-CVE-2023-46751.patch +Patch105: fix-cve-2023-52722.patch +Patch106: fix-CVE-2024-29510.patch +Patch107: fix-CVE-2024-33869.patch +Patch108: fix-CVE-2024-33870.patch +Patch109: fix-CVE-2024-33871.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -112,6 +117,11 @@ %patch102 -p0 %patch103 -p0 %patch104 -p1 +%patch105 -p1 +%patch106 -p1 +%patch107 -p1 +%patch108 -p1 +%patch109 -p1 # Libraries that we already have packaged(see Build Requirements): rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib @@ -205,6 +215,18 @@ %{_bindir}/dvipdf %changelog +* Fri May 10 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.56.1-5 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: fix CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871 + +* Sun Apr 28 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.56.1-4 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: fix CVE-2023-52722 + * Mon Dec 25 2023 liningjie <liningjie@xfusion.com> - 9.56.1-3 - Type:CVE - ID:NA
View file
_service:tar_scm:fix-CVE-2024-29510.patch
Added
@@ -0,0 +1,78 @@ +From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001 +From: Ken Sharp <Ken.Sharp@artifex.com> +Date: Thu, 21 Mar 2024 09:01:15 +0000 +Subject: PATCH Uniprint device - prevent string configuration changes when SAFER + +Bug #707662 + +We cannot sanitise the string arguments used by the Uniprint device +because they can potentially include anything. + +This commit ensures that these strings are locked and cannot be +changed by PostScript once SAFER is activated. Full configuration from +the command line is still possible (see the *.upp files in lib). + +This addresses CVE-2024-29510 +--- + devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index 179c400..7826507 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1887,6 +1887,16 @@ out on this copies. + if(!upd_stringsi) continue; + UPD_PARAM_READ(param_read_string,upd_stringsi,value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (stringsi.size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ if (stringsi.data && memcmp(stringsi.data, value.data, stringsi.size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRINGS; + UPD_MM_DEL_PARAM(udev->memory, stringsi); + if(!value.size) { +@@ -1904,6 +1914,26 @@ out on this copies. + if(!upd_string_ai) continue; + UPD_PARAM_READ(param_read_string_array,upd_string_ai,value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (string_ai.size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ int loop; ++ for (loop = 0;loop < string_ai.size;loop++) { ++ gs_param_string *tmp1 = (gs_param_string *)&(string_ai.dataloop); ++ gs_param_string *tmp2 = (gs_param_string *)&value.dataloop; ++ ++ if (tmp1->size != tmp2->size) ++ error = gs_error_invalidaccess; ++ else { ++ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ } ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRING_A; + UPD_MM_DEL_APARAM(udev->memory, string_ai); + if(!value.size) { +@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may + if(0 > code) error = code; + } + ++exit: + if(0 < error) { /* Actually something loaded without error */ + + if(!(upd = udev->upd)) { +-- +2.27.0 +
View file
_service:tar_scm:fix-CVE-2024-33869.patch
Added
@@ -0,0 +1,34 @@ +From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <Ken.Sharp@artifex.com> +Date: Tue, 26 Mar 2024 12:02:57 +0000 +Subject: PATCH fix CVE-2024-33869 + +Part 1; when stripping a potential Current Working Dirctory specifier +from a path, make certain it really is a CWD, and not simply large +ebough to be a CWD. + +Reasons are in the bug thread, this is not (IMO) serious. + +This is part of the fix for CVE-2024-33869 +--- + base/gpmisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index f9a9230..f6b8870 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1136,8 +1136,8 @@ gp_validate_path_len(const gs_memory_t *mem, + memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); + continue; + } +- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +- buffer = bufferfull + cdirstrl + dirsepstrl; ++ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull ++ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) { + continue; + } + break; +-- +2.27.0 +
View file
_service:tar_scm:fix-CVE-2024-33870.patch
Added
@@ -0,0 +1,88 @@ +From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <Ken.Sharp@artifex.com> +Date: Tue, 26 Mar 2024 12:00:14 +0000 +Subject: PATCH fix CVE-2024-33870 + +See bug thread for details + +In addition to the noted bug; an error path (return from +gp_file_name_reduce not successful) could elad to a memory leak as we +did not free 'bufferfull'. Fix that too. + +This addresses CVE-2024-33870 +--- + base/gpmisc.c | 34 +++++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index f6b8870..cbc6139 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, + const uint len, + const char *mode) + { +- char *buffer, *bufferfull; ++ char *buffer, *bufferfull = NULL; + uint rlen; + int code = 0; + const char *cdirstr = gp_file_name_current(); +@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem, + return gs_error_VMerror; + + buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } + bufferrlen = 0; + } + while (1) { +@@ -1131,9 +1133,34 @@ gp_validate_path_len(const gs_memory_t *mem, + code = gs_note_error(gs_error_invalidfileaccess); + } + if (code < 0 && prefix_len > 0 && buffer > bufferfull) { ++ uint newlen = rlen + cdirstrl + dirsepstrl; ++ char *newbuffer; ++ int code; ++ + buffer = bufferfull; + memcpy(buffer, cdirstr, cdirstrl); + memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); ++ ++ /* We've prepended a './' or similar for the current working directory. We need ++ * to execute file_name_reduce on that, to eliminate any '../' or similar from ++ * the (new) full path. ++ */ ++ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); ++ if (newbuffer == NULL) { ++ code = gs_note_error(gs_error_VMerror); ++ goto exit; ++ } ++ ++ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); ++ newbuffernewlen = 0x00; ++ ++ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); ++ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); ++ if (code != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ + continue; + } + else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull +@@ -1152,6 +1179,7 @@ gp_validate_path_len(const gs_memory_t *mem, + gs_path_control_flag_is_scratch_file); + } + ++exit: + gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); + #ifdef EACCES + if (code == gs_error_invalidfileaccess) +-- +2.27.0 +
View file
_service:tar_scm:fix-CVE-2024-33871.patch
Added
@@ -0,0 +1,38 @@ +From 7145885041bb52cc23964f0aa2aec1b1c82b5908 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra <zhutyra@centrum.cz> +Date: Mon, 22 Apr 2024 13:33:47 +0100 +Subject: OPVP device - prevent unsafe parameter change with SAFER + +Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library" + +The "Driver" parameter for the "opvp"/"oprp" device specifies the name +of a dynamic library and allows any library to be loaded. + +The patch does not allow changing this parameter after activating path +control. + +This addresses CVE-2024-33871 +--- + contrib/opvp/gdevopvp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index 5f20cac..327152d 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size ++ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buffvdps.size = 0; +-- +2.27.0 +
View file
_service:tar_scm:fix-cve-2023-52722.patch
Added
@@ -0,0 +1,39 @@ +From afd7188f74918cb51b5fb89f52b54eb16e8acfd1 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: 2023-09-12 10:46:10 +0100 +Subject: PATCH In SAFER (default) don't allow eexec seeds other than the Type 1 standard + Type 1 standard + +--- + psi/zmisc1.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/psi/zmisc1.c b/psi/zmisc1.c +index 3c47e99..81556ac 100644 +--- a/psi/zmisc1.c ++++ b/psi/zmisc1.c +@@ -93,6 +93,9 @@ zexE(i_ctx_t *i_ctx_p) + + if (code < 0) + return code; ++ if (gs_is_path_control_active(imemory) != 0 && state.cstate != 55665) { ++ return_error(gs_error_rangecheck); ++ } + return filter_write(i_ctx_p, code, &s_exE_template, (stream_state *)&state, 0); + } + +@@ -130,6 +133,11 @@ zexD(i_ctx_t *i_ctx_p) + } + if (code < 0) + return code; ++ ++ if (gs_is_path_control_active(imemory) != 0 && state.cstate != 55665) { ++ return_error(gs_error_rangecheck); ++ } ++ + /* + * If we're reading a .PFB file, let the filter know about it, + * so it can read recklessly to the end of the binary section. +-- +2.43.0 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2