diff --git a/Bugfix-for-CVE-2024-29510.patch b/Bugfix-for-CVE-2024-29510.patch new file mode 100644 index 0000000000000000000000000000000000000000..f3f6e7fbc7e53312936d1d7d0e43d151a005ec14 --- /dev/null +++ b/Bugfix-for-CVE-2024-29510.patch @@ -0,0 +1,68 @@ +From 6084990327177c0e3409d063e4d40c7dfed2e97d Mon Sep 17 00:00:00 2001 +From: root +Date: Thu, 11 Jul 2024 16:26:10 +0800 +Subject: [PATCH] Bugfix for CVE-2024-29510 + +--- + devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index 740dae0..0eac02b 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1887,6 +1887,16 @@ out on this copies. + if(!upd_strings[i]) continue; + UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (strings[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRINGS; + UPD_MM_DEL_PARAM(udev->memory, strings[i]); + if(!value.size) { +@@ -1904,6 +1914,26 @@ out on this copies. + if(!upd_string_a[i]) continue; + UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (string_a[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ int loop; ++ for (loop = 0;loop < string_a[i].size;loop++) { ++ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]); ++ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop]; ++ ++ if (tmp1->size != tmp2->size) ++ error = gs_error_invalidaccess; ++ else { ++ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ } ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRING_A; + UPD_MM_DEL_APARAM(udev->memory, string_a[i]); + if(!value.size) { +@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may + if(0 > code) error = code; + } + ++exit: + if(0 < error) { /* Actually something loaded without error */ + + if(!(upd = udev->upd)) { +-- +2.27.0 + diff --git a/Bugfix-for-CVE-2024-33869.patch b/Bugfix-for-CVE-2024-33869.patch new file mode 100644 index 0000000000000000000000000000000000000000..eee4be6416b688c020721f5a09fe8c9f5a318465 --- /dev/null +++ b/Bugfix-for-CVE-2024-33869.patch @@ -0,0 +1,55 @@ +From 0b257385e39b1213e5e971add5476b7da330b963 Mon Sep 17 00:00:00 2001 +From: root +Date: Thu, 11 Jul 2024 16:33:19 +0800 +Subject: [PATCH] Bugfix for CVE-2024-33869 + +--- + base/gpmisc.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index c4a69b0..b0d5c71 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem, + rlen = len; + } + else { ++ char *test = (char *)path, *test1; ++ uint tlen = len, slen; ++ ++ /* Look for any pipe (%pipe% or '|' specifications between path separators ++ * Reject any path spec which has a %pipe% or '|' anywhere except at the start. ++ */ ++ while (tlen > 0) { ++ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ test1 = test; ++ slen = search_separator((const char **)&test, path + len, test1, 1); ++ if(slen == 0) ++ break; ++ test += slen; ++ tlen -= test - test1; ++ if (test >= path + len) ++ break; ++ } ++ + rlen = len+1; + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); + if (bufferfull == NULL) +@@ -1164,8 +1185,8 @@ gp_validate_path_len(const gs_memory_t *mem, + + continue; + } +- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +- buffer = bufferfull + cdirstrl + dirsepstrl; ++ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull ++ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) { + continue; + } + break; +-- +2.27.0 + diff --git a/Bugfix-for-CVE-2024-33870.patch b/Bugfix-for-CVE-2024-33870.patch new file mode 100644 index 0000000000000000000000000000000000000000..f13ae6d09c3ff2b8c8c0ffc2fdeecbae8e92af31 --- /dev/null +++ b/Bugfix-for-CVE-2024-33870.patch @@ -0,0 +1,87 @@ +From 26b9b4262dcd6a5d2c0a494c80ba38c216a44151 Mon Sep 17 00:00:00 2001 +From: root +Date: Thu, 11 Jul 2024 16:30:42 +0800 +Subject: [PATCH] Bugfix for CVE-2024-33870 + +--- + base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 2b0064b..c4a69b0 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, + const uint len, + const char *mode) + { +- char *buffer, *bufferfull; ++ char *buffer, *bufferfull = NULL; + uint rlen; + int code = 0; + const char *cdirstr = gp_file_name_current(); +@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem, + return gs_error_VMerror; + + buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } + buffer[rlen] = 0; + } + while (1) { +@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem, + code = gs_note_error(gs_error_invalidfileaccess); + } + if (code < 0 && prefix_len > 0 && buffer > bufferfull) { ++ uint newlen = rlen + cdirstrl + dirsepstrl; ++ char *newbuffer; ++ int code; ++ + buffer = bufferfull; + memcpy(buffer, cdirstr, cdirstrl); + memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); ++ ++ /* We've prepended a './' or similar for the current working directory. We need ++ * to execute file_name_reduce on that, to eliminate any '../' or similar from ++ * the (new) full path. ++ */ ++ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); ++ if (newbuffer == NULL) { ++ code = gs_note_error(gs_error_VMerror); ++ goto exit; ++ } ++ ++ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); ++ newbuffer[newlen] = 0x00; ++ ++ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); ++ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); ++ if (code != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ + continue; + } + else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem, + gs_path_control_flag_is_scratch_file); + } + ++exit: + gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); + #ifdef EACCES + if (code == gs_error_invalidfileaccess) +-- +2.27.0 + diff --git a/Bugfix-for-CVE-2024-33871.patch b/Bugfix-for-CVE-2024-33871.patch new file mode 100644 index 0000000000000000000000000000000000000000..f4af83b70ee642d9c97a728d00321976a26304fb --- /dev/null +++ b/Bugfix-for-CVE-2024-33871.patch @@ -0,0 +1,29 @@ +From 6afe688e06ca700dd4f187a80777eb1947a534a5 Mon Sep 17 00:00:00 2001 +From: root +Date: Thu, 11 Jul 2024 16:36:21 +0800 +Subject: [PATCH] Bugfix for CVE-2024-33871 + +--- + contrib/opvp/gdevopvp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index 74200cf..80eb23b 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size ++ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buff[vdps.size] = 0; +-- +2.27.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 91edba6d398a590186737b2623400dcff3487c8a..37b6df7b6daa433ab7cc6c6e403b408240f1dd32 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global _hardened_build 1 %global _docdir_fmt %{name} @@ -33,6 +33,27 @@ Obsoletes: ghostscript-core < 9.53.3-6 Patch0: ghostscript-10.01.0-fix-linkage.patch +# CVE-2024-29510 +# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-29510 +# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f +Patch1: Bugfix-for-CVE-2024-29510.patch + +# CVE-2024-33870 +# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33870 +# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80 +Patch2: Bugfix-for-CVE-2024-33870.patch + +# CVE-2024-33869 +# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33869 +# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43 +# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4 +Patch3: Bugfix-for-CVE-2024-33869.patch + +# CVE-2024-33871 +# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33871 +# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 +Patch4: Bugfix-for-CVE-2024-33871.patch + %description Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files. @@ -227,6 +248,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %changelog +* Tue Jul 09 2024 lidongyue 10.02.1-2 +- Fix CVE-2024-29510 CVE-2024-33870 CVE-2024-33869 CVE-2024-33871 + * Sun Nov 05 2023 Funda Wang - 10.02.1-1 - New version 10.02.1