From d8e9308e896dcdfb162c811c87d3c94e4a0990d4 Mon Sep 17 00:00:00 2001 From: songkai Date: Wed, 18 Sep 2024 09:15:21 +0800 Subject: [PATCH] Fix CVE-2024-33869 and CVE-2024-33870 --- ghostscript.spec | 15 ++++++++- gs-CVE-2024-33869.patch | 43 +++++++++++++++++++++++++ gs-CVE-2024-33870.patch | 69 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 gs-CVE-2024-33869.patch create mode 100644 gs-CVE-2024-33870.patch diff --git a/ghostscript.spec b/ghostscript.spec index c7cf5e1..16de8db 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -42,7 +42,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.54.0 -Release: 17%{?dist} +Release: 18%{?dist} License: AGPLv3+ @@ -119,6 +119,15 @@ Patch012: gs-cve-2024-33871.patch # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f Patch013: ghostscript-9.54.0-CVE-2024-29510.patch +#Upstream fix: +#https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80 +Patch014: gs-CVE-2024-33870.patch + +#Upstream fix: +#https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43 +#https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4 +Patch015: gs-CVE-2024-33869.patch + # Downstream patches -- these should be always included when doing rebase: # ------------------ # Downstream patches for RHEL -- patches that we keep only in RHEL for various @@ -451,6 +460,10 @@ done # ============================================================================= %changelog +* Wed Sep 18 2024 Kai Song - 9.54.0-18 +- Fix CVE-2024-33870 +- Fix CVE-2024-33869 + * Mon Jul 15 2024 wangzhe - 9.54.0-17 - Fix CVE-2024-29510 diff --git a/gs-CVE-2024-33869.patch b/gs-CVE-2024-33869.patch new file mode 100644 index 0000000..e429078 --- /dev/null +++ b/gs-CVE-2024-33869.patch @@ -0,0 +1,43 @@ +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 2b43f89..186d9b7 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem, + rlen = len; + } + else { ++ char *test = (char *)path, *test1; ++ uint tlen = len, slen; ++ ++ /* Look for any pipe (%pipe% or '|' specifications between path separators ++ * Reject any path spec which has a %pipe% or '|' anywhere except at the start. ++ */ ++ while (tlen > 0) { ++ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ test1 = test; ++ slen = search_separator((const char **)&test, path + len, test1, 1); ++ if(slen == 0) ++ break; ++ test += slen; ++ tlen -= test - test1; ++ if (test >= path + len) ++ break; ++ } ++ + rlen = len+1; + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); + if (bufferfull == NULL) +@@ -1163,8 +1184,8 @@ gp_validate_path_len(const gs_memory_t *mem, + + continue; + } +- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +- buffer = bufferfull + cdirstrl + dirsepstrl; ++ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull ++ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) { + continue; + } + break; diff --git a/gs-CVE-2024-33870.patch b/gs-CVE-2024-33870.patch new file mode 100644 index 0000000..ff47ee1 --- /dev/null +++ b/gs-CVE-2024-33870.patch @@ -0,0 +1,69 @@ +diff --git a/base/gpmisc.c b/base/gpmisc.c +index f9a9230..2b43f89 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, + const uint len, + const char *mode) + { +- char *buffer, *bufferfull; ++ char *buffer, *bufferfull = NULL; + uint rlen; + int code = 0; + const char *cdirstr = gp_file_name_current(); +@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem, + return gs_error_VMerror; + + buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } + buffer[rlen] = 0; + } + while (1) { +@@ -1131,9 +1133,34 @@ gp_validate_path_len(const gs_memory_t *mem, + code = gs_note_error(gs_error_invalidfileaccess); + } + if (code < 0 && prefix_len > 0 && buffer > bufferfull) { ++ uint newlen = rlen + cdirstrl + dirsepstrl; ++ char *newbuffer; ++ int code; ++ + buffer = bufferfull; + memcpy(buffer, cdirstr, cdirstrl); + memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); ++ ++ /* We've prepended a './' or similar for the current working directory. We need ++ * to execute file_name_reduce on that, to eliminate any '../' or similar from ++ * the (new) full path. ++ */ ++ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); ++ if (newbuffer == NULL) { ++ code = gs_note_error(gs_error_VMerror); ++ goto exit; ++ } ++ ++ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); ++ newbuffer[newlen] = 0x00; ++ ++ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); ++ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); ++ if (code != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ + continue; + } + else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +@@ -1152,6 +1179,7 @@ gp_validate_path_len(const gs_memory_t *mem, + gs_path_control_flag_is_scratch_file); + } + ++exit: + gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); + #ifdef EACCES + if (code == gs_error_invalidfileaccess) -- Gitee