From 0c2f94b6d3e601cea40f501aa3a57a957d53676a Mon Sep 17 00:00:00 2001
From: wangzhe <wanglan.wz@alibaba-inc.com>
Date: Mon, 15 Jul 2024 22:50:09 +0800
Subject: [PATCH] Fix CVE-2024-29510

Signed-off-by: wangzhe <wanglan.wz@alibaba-inc.com>
---
 ghostscript-9.54.0-CVE-2024-29510.patch | 79 +++++++++++++++++++++++++
 ghostscript.spec                        |  8 ++-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 ghostscript-9.54.0-CVE-2024-29510.patch

diff --git a/ghostscript-9.54.0-CVE-2024-29510.patch b/ghostscript-9.54.0-CVE-2024-29510.patch
new file mode 100644
index 0000000..e886c93
--- /dev/null
+++ b/ghostscript-9.54.0-CVE-2024-29510.patch
@@ -0,0 +1,79 @@
+From 8584d98dab950f70017ec4466c525434a30ad126 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 21 Mar 2024 09:01:15 +0000
+Subject: [PATCH] Uniprint device - prevent string configuration changes when
+ SAFER
+
+Bug #707662
+
+We cannot sanitise the string arguments used by the Uniprint device
+because they can potentially include anything.
+
+This commit ensures that these strings are locked and cannot be
+changed by PostScript once SAFER is activated. Full configuration from
+the command line is still possible (see the *.upp files in lib).
+
+This addresses CVE-2024-29510
+---
+ devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/devices/gdevupd.c b/devices/gdevupd.c
+index badc804..0cb9a19 100644
+--- a/devices/gdevupd.c
++++ b/devices/gdevupd.c
+@@ -1880,6 +1880,16 @@ out on this copies.
+       if(!upd_strings[i]) continue;
+       UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
+       if(0 == code) {
++        if (gs_is_path_control_active(udev->memory)) {
++            if (strings[i].size != value.size)
++              error = gs_error_invalidaccess;
++            else {
++                if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
++                    error = gs_error_invalidaccess;
++            }
++            if (error < 0)
++                goto exit;
++        }
+          if(0 <= error) error |= UPD_PUT_STRINGS;
+          UPD_MM_DEL_PARAM(udev->memory, strings[i]);
+          if(!value.size) {
+@@ -1897,6 +1907,26 @@ out on this copies.
+       if(!upd_string_a[i]) continue;
+       UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
+       if(0 == code) {
++          if (gs_is_path_control_active(udev->memory)) {
++              if (string_a[i].size != value.size)
++                  error = gs_error_invalidaccess;
++              else {
++                  int loop;
++                  for (loop = 0;loop < string_a[i].size;loop++) {
++                      gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
++                      gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
++
++                      if (tmp1->size != tmp2->size)
++                          error = gs_error_invalidaccess;
++                      else {
++                          if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
++                              error = gs_error_invalidaccess;
++                      }
++                  }
++              }
++            if (error < 0)
++                goto exit;
++          }
+          if(0 <= error) error |= UPD_PUT_STRING_A;
+          UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
+          if(!value.size) {
+@@ -2091,6 +2121,7 @@ transferred into the device-structure. In the case of "uniprint", this may
+       if(0 > code) error = code;
+    }
+ 
++exit:
+    if(0 < error) { /* Actually something loaded without error */
+ 
+       if(!(upd = udev->upd)) {
+-- 
+2.39.3
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 07c536d..c7cf5e1 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -42,7 +42,7 @@
 Name:             ghostscript
 Summary:          Interpreter for PostScript language & PDF
 Version:          9.54.0
-Release:          16%{?dist}
+Release:          17%{?dist}
 
 License:          AGPLv3+
 
@@ -115,6 +115,9 @@ Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
 Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
 # RHEL-39110 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
 Patch012: gs-cve-2024-33871.patch
+# CVE-2024-29510
+# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f
+Patch013: ghostscript-9.54.0-CVE-2024-29510.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -448,6 +451,9 @@ done
 # =============================================================================
 
 %changelog
+* Mon Jul 15 2024 wangzhe <wanglan.wz@alibaba-inc.com> - 9.54.0-17
+- Fix CVE-2024-29510 
+
 * Thu Jun 13 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
 - RHEL-39110 fix regression discovered in OPVP device
 
-- 
Gitee