diff --git a/0001-cve-CVE-2024-33871.patch b/0001-cve-CVE-2024-33871.patch new file mode 100644 index 0000000000000000000000000000000000000000..5443278a5c6fb127bc84bad5a9f30ef3aa2156af --- /dev/null +++ b/0001-cve-CVE-2024-33871.patch @@ -0,0 +1,82 @@ +From b3a73a4d4a226a1a42ee1cd623ab03f9e57dc474 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 14 Oct 2024 19:17:31 +0800 +Subject: [PATCH] cve: CVE-2024-33871 + +--- + contrib/opvp/gdevopvp.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index c8da341..9f6166a 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -75,6 +75,7 @@ + #include "gxcvalue.h" + + #include "opvp_common.h" ++#include "gslibctx.h" + + #define ENABLE_SIMPLE_MODE 1 + #define ENABLE_SKIP_RASTER 1 +@@ -185,7 +186,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int, + static int _get_params(gs_param_list *); + static int opvp_get_params(gx_device *, gs_param_list *); + static int oprp_get_params(gx_device *, gs_param_list *); +-static int _put_params(gs_param_list *); ++static int _put_params(gx_device *, gs_param_list *); + static int opvp_put_params(gx_device *, gs_param_list *); + static int oprp_put_params(gx_device *, gs_param_list *); + static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *, +@@ -3039,7 +3040,7 @@ _get_params(gs_param_list *plist) + /* vector driver name */ + pname = "Driver"; + vdps.data = (byte *)vectorDriver; +- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0); ++ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0); + vdps.persistent = false; + code = param_write_string(plist, pname, &vdps); + if (code) ecode = code; +@@ -3176,7 +3177,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist) + * put params + */ + static int +-_put_params(gs_param_list *plist) ++_put_params(gx_device *dev, gs_param_list *plist) + { + int code; + int ecode = 0; +@@ -3198,6 +3199,12 @@ _put_params(gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!vectorDriver || strlen(vectorDriver) != vdps.size ++ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buff[vdps.size] = 0; +@@ -3399,7 +3406,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist) + int code; + + /* put params */ +- code = _put_params(plist); ++ code = _put_params(dev, plist); + if (code) return code; + + /* put default params */ +@@ -3415,7 +3422,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist) + int code; + + /* put params */ +- code = _put_params(plist); ++ code = _put_params(dev, plist); + if (code) return code; + + /* put default params */ +-- +2.39.3 + diff --git a/0002-add-gs_is_path_control_active.patch b/0002-add-gs_is_path_control_active.patch new file mode 100644 index 0000000000000000000000000000000000000000..1aad21a0b22f4f95675ef9679ec5d1fa27b36e3c --- /dev/null +++ b/0002-add-gs_is_path_control_active.patch @@ -0,0 +1,46 @@ +From 0ef96f32fdf927fb2620f3140233e936224613c9 Mon Sep 17 00:00:00 2001 +From: ut005731 +Date: Mon, 14 Oct 2024 19:57:23 +0800 +Subject: [PATCH] add gs_is_path_control_active + +--- + base/gslibctx.c | 12 ++++++++++++ + base/gslibctx.h | 3 +++ + 2 files changed, 15 insertions(+) + +diff --git a/base/gslibctx.c b/base/gslibctx.c +index a72011a..569b655 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -375,3 +375,15 @@ gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, co + } + return code; + } ++ ++int ++gs_is_path_control_active(const gs_memory_t *mem) ++{ ++ gs_lib_ctx_core_t *core; ++ ++ if (mem == NULL || mem->gs_lib_ctx == NULL || ++ (core = mem->gs_lib_ctx->core) == NULL) ++ return 0; ++ ++ return core->path_control_active; ++} +diff --git a/base/gslibctx.h b/base/gslibctx.h +index 348bde0..ece9a20 100644 +--- a/base/gslibctx.h ++++ b/base/gslibctx.h +@@ -152,6 +152,9 @@ gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str, + int + gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission); + ++int ++gs_is_path_control_active(const gs_memory_t *mem); ++ + #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout) + #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr) + +-- +2.39.3 diff --git a/0003-gs_lib_ctx_core_t.patch b/0003-gs_lib_ctx_core_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..904ad9956f128f95f10543bf50d51c8964d3306f --- /dev/null +++ b/0003-gs_lib_ctx_core_t.patch @@ -0,0 +1,67 @@ +From 6edca04372cd1ac4794ce61c2cb8790881eb4753 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 15 Oct 2024 13:41:29 +0800 +Subject: [PATCH] gs_lib_ctx_core_t + +--- + base/gslibctx.h | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/base/gslibctx.h b/base/gslibctx.h +index ece9a20..9f7dc0e 100644 +--- a/base/gslibctx.h ++++ b/base/gslibctx.h +@@ -39,9 +39,50 @@ typedef struct gs_font_dir_s gs_font_dir; + + typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission); + ++typedef struct { ++ void *monitor; ++ int refs; ++ gs_memory_t *memory; ++ FILE *fstdin; ++ FILE *fstdout; ++ FILE *fstderr; ++ int stdout_is_redirected; /* to stderr or fstdout2 */ ++ int stdout_to_stderr; ++ int stdin_is_interactive; ++ void *default_caller_handle; /* identifies caller of GS DLL/shared object */ ++ void *std_caller_handle; ++ void *poll_caller_handle; ++ void *custom_color_callback; /* pointer to color callback structure */ ++ ulong gs_next_id; /* gs_id initialized here, private variable of gs_next_ids() */ ++ /* True if we are emulating CPSI. Ideally this would be in the imager ++ * state, but this can't be done due to problems detecting changes in it ++ * for the clist based devices. */ ++ int CPSI_mode; ++ int scanconverter; ++ int act_on_uel; ++ ++ int path_control_active; ++ /* Ideally this pointer would only be present in CAL builds, ++ * but that's too hard to arrange, so we live with it in ++ * all builds. */ ++ void *cal_ctx; ++ ++ void *cms_context; /* Opaque context pointer from underlying CMS in use */ ++ ++ /* Stashed args */ ++ int arg_max; ++ int argc; ++ char **argv; ++ ++ /* clist io procs pointers. Indirected through here to allow ++ * easy build time selection. */ ++ ++} gs_lib_ctx_core_t; ++ + typedef struct gs_lib_ctx_s + { + gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */ ++ gs_lib_ctx_core_t *core; + FILE *fstdin; + FILE *fstdout; + FILE *fstderr; +-- +2.39.3 + diff --git a/ghostscript.spec b/ghostscript.spec index 6b91718d1f4690edb1d4fa1841cb19922b6fa966..de268b2b77193e73a32cf8041f8cda4e0620c378 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -34,7 +34,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.25 -Release: 5%{?dist} +Release: 5%{?dist}.1 License: AGPLv3+ @@ -112,6 +112,11 @@ Patch018: ghostscript-cve-2019-14869.patch # ------------------ Patch100: ghostscript-9.23-100-run-dvipdf-securely.patch Patch101: ghostscript-9.25-101-reenable-cups-filters.patch +#add by uos +Patch102: 0001-cve-CVE-2024-33871.patch +Patch103: 0002-add-gs_is_path_control_active.patch +Patch104: 0003-gs_lib_ctx_core_t.patch +#end # Downstream patches for RHEL -- patches that we keep only in RHEL for various @@ -430,6 +435,9 @@ install -m 0755 -d %{buildroot}%{_sysconfdir}/%{name}/ # ============================================================================= %changelog +* Mon Oct 14 2024 zhuhongbo - 9.25-5.1 +- cve:fix CVE-2024-33871 + * Tue Mar 31 2020 Zdenek Dohnal - 9.25-5 - 1812284 - ghostscript fontconfig support broken when gs used with -dSAFER/-dPARANOIDSAFER