diff --git a/Bugfix-for-CVE-2024-29510.patch b/Bugfix-for-CVE-2024-29510.patch deleted file mode 100644 index f3f6e7fbc7e53312936d1d7d0e43d151a005ec14..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-29510.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 6084990327177c0e3409d063e4d40c7dfed2e97d Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:26:10 +0800 -Subject: [PATCH] Bugfix for CVE-2024-29510 - ---- - devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/devices/gdevupd.c b/devices/gdevupd.c -index 740dae0..0eac02b 100644 ---- a/devices/gdevupd.c -+++ b/devices/gdevupd.c -@@ -1887,6 +1887,16 @@ out on this copies. - if(!upd_strings[i]) continue; - UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory); - if(0 == code) { -+ if (gs_is_path_control_active(udev->memory)) { -+ if (strings[i].size != value.size) -+ error = gs_error_invalidaccess; -+ else { -+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0) -+ error = gs_error_invalidaccess; -+ } -+ if (error < 0) -+ goto exit; -+ } - if(0 <= error) error |= UPD_PUT_STRINGS; - UPD_MM_DEL_PARAM(udev->memory, strings[i]); - if(!value.size) { -@@ -1904,6 +1914,26 @@ out on this copies. - if(!upd_string_a[i]) continue; - UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory); - if(0 == code) { -+ if (gs_is_path_control_active(udev->memory)) { -+ if (string_a[i].size != value.size) -+ error = gs_error_invalidaccess; -+ else { -+ int loop; -+ for (loop = 0;loop < string_a[i].size;loop++) { -+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]); -+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop]; -+ -+ if (tmp1->size != tmp2->size) -+ error = gs_error_invalidaccess; -+ else { -+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) -+ error = gs_error_invalidaccess; -+ } -+ } -+ } -+ if (error < 0) -+ goto exit; -+ } - if(0 <= error) error |= UPD_PUT_STRING_A; - UPD_MM_DEL_APARAM(udev->memory, string_a[i]); - if(!value.size) { -@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may - if(0 > code) error = code; - } - -+exit: - if(0 < error) { /* Actually something loaded without error */ - - if(!(upd = udev->upd)) { --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33869.patch b/Bugfix-for-CVE-2024-33869.patch deleted file mode 100644 index eee4be6416b688c020721f5a09fe8c9f5a318465..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33869.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 0b257385e39b1213e5e971add5476b7da330b963 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:33:19 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33869 - ---- - base/gpmisc.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/base/gpmisc.c b/base/gpmisc.c -index c4a69b0..b0d5c71 100644 ---- a/base/gpmisc.c -+++ b/base/gpmisc.c -@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem, - rlen = len; - } - else { -+ char *test = (char *)path, *test1; -+ uint tlen = len, slen; -+ -+ /* Look for any pipe (%pipe% or '|' specifications between path separators -+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start. -+ */ -+ while (tlen > 0) { -+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } -+ test1 = test; -+ slen = search_separator((const char **)&test, path + len, test1, 1); -+ if(slen == 0) -+ break; -+ test += slen; -+ tlen -= test - test1; -+ if (test >= path + len) -+ break; -+ } -+ - rlen = len+1; - bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); - if (bufferfull == NULL) -@@ -1164,8 +1185,8 @@ gp_validate_path_len(const gs_memory_t *mem, - - continue; - } -- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { -- buffer = bufferfull + cdirstrl + dirsepstrl; -+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull -+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) { - continue; - } - break; --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33870.patch b/Bugfix-for-CVE-2024-33870.patch deleted file mode 100644 index f13ae6d09c3ff2b8c8c0ffc2fdeecbae8e92af31..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33870.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 26b9b4262dcd6a5d2c0a494c80ba38c216a44151 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:30:42 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33870 - ---- - base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++---- - 1 file changed, 32 insertions(+), 4 deletions(-) - -diff --git a/base/gpmisc.c b/base/gpmisc.c -index 2b0064b..c4a69b0 100644 ---- a/base/gpmisc.c -+++ b/base/gpmisc.c -@@ -1,4 +1,4 @@ --/* Copyright (C) 2001-2023 Artifex Software, Inc. -+/* Copyright (C) 2001-2024 Artifex Software, Inc. - All Rights Reserved. - - This software is provided AS-IS with no warranty, either express or -@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, - const uint len, - const char *mode) - { -- char *buffer, *bufferfull; -+ char *buffer, *bufferfull = NULL; - uint rlen; - int code = 0; - const char *cdirstr = gp_file_name_current(); -@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem, - return gs_error_VMerror; - - buffer = bufferfull + prefix_len; -- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) -- return gs_error_invalidfileaccess; -+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } - buffer[rlen] = 0; - } - while (1) { -@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem, - code = gs_note_error(gs_error_invalidfileaccess); - } - if (code < 0 && prefix_len > 0 && buffer > bufferfull) { -+ uint newlen = rlen + cdirstrl + dirsepstrl; -+ char *newbuffer; -+ int code; -+ - buffer = bufferfull; - memcpy(buffer, cdirstr, cdirstrl); - memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); -+ -+ /* We've prepended a './' or similar for the current working directory. We need -+ * to execute file_name_reduce on that, to eliminate any '../' or similar from -+ * the (new) full path. -+ */ -+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); -+ if (newbuffer == NULL) { -+ code = gs_note_error(gs_error_VMerror); -+ goto exit; -+ } -+ -+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); -+ newbuffer[newlen] = 0x00; -+ -+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); -+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); -+ if (code != gp_combine_success) { -+ code = gs_note_error(gs_error_invalidfileaccess); -+ goto exit; -+ } -+ - continue; - } - else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { -@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem, - gs_path_control_flag_is_scratch_file); - } - -+exit: - gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); - #ifdef EACCES - if (code == gs_error_invalidfileaccess) --- -2.27.0 - diff --git a/Bugfix-for-CVE-2024-33871.patch b/Bugfix-for-CVE-2024-33871.patch deleted file mode 100644 index f4af83b70ee642d9c97a728d00321976a26304fb..0000000000000000000000000000000000000000 --- a/Bugfix-for-CVE-2024-33871.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 6afe688e06ca700dd4f187a80777eb1947a534a5 Mon Sep 17 00:00:00 2001 -From: root -Date: Thu, 11 Jul 2024 16:36:21 +0800 -Subject: [PATCH] Bugfix for CVE-2024-33871 - ---- - contrib/opvp/gdevopvp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c -index 74200cf..80eb23b 100644 ---- a/contrib/opvp/gdevopvp.c -+++ b/contrib/opvp/gdevopvp.c -@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) - code = param_read_string(plist, pname, &vdps); - switch (code) { - case 0: -+ if (gs_is_path_control_active(dev->memory) -+ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size -+ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { -+ param_signal_error(plist, pname, gs_error_invalidaccess); -+ return_error(gs_error_invalidaccess); -+ } - buff = realloc(buff, vdps.size + 1); - memcpy(buff, vdps.data, vdps.size); - buff[vdps.size] = 0; --- -2.27.0 - diff --git a/ghostscript-10.01.0-fix-linkage.patch b/ghostscript-10.01.0-fix-linkage.patch deleted file mode 100644 index deac484839b5935101c6f533e4c9ac23daaf1287..0000000000000000000000000000000000000000 --- a/ghostscript-10.01.0-fix-linkage.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- ghostscript-10.01.0/devices/devs.mak.orig 2023-03-23 12:23:25.642893279 +0800 -+++ ghostscript-10.01.0/devices/devs.mak 2023-03-23 12:23:56.089893279 +0800 -@@ -396,8 +396,8 @@ - ### Shared library object supporting X11. - ### NON PORTABLE, ONLY UNIX WITH GCC SUPPORT - --$(DEVOBJ)X11.so : $(x11alt_) $(x11_) $(DEVS_MAK) $(MAKEDIRS) -- $(CCLD) $(LDFLAGS) -shared -o $(DEVOBJ)X11.so $(x11alt_) $(x11_) -L/usr/X11R6/lib -lXt -lSM -lICE -lXext -lX11 $(XLIBDIRS) -+$(DEVOBJ)X11.so : $(x11alt_) $(x11_) $(DEVS_MAK) $(MAKEDIRS) $(GS_XE) -+ $(CCLD) $(LDFLAGS) -shared -o $(DEVOBJ)X11.so $(x11alt_) $(x11_) -L/usr/X11R6/lib $(GS_XE) -lXt -lSM -lICE -lXext -lX11 $(XLIBDIRS) - - ###### --------------- Memory-buffered printer devices --------------- ###### - diff --git a/ghostscript-10.02.1.tar.xz b/ghostscript-10.04.0.tar.xz similarity index 84% rename from ghostscript-10.02.1.tar.xz rename to ghostscript-10.04.0.tar.xz index 54364a456a2a57d31e02d57719a54ce6edb02e3d..c3b4c540f5dc7568d9d05563649f4db3e884fc5d 100644 Binary files a/ghostscript-10.02.1.tar.xz and b/ghostscript-10.04.0.tar.xz differ diff --git a/ghostscript.spec b/ghostscript.spec index 37b6df7b6daa433ab7cc6c6e403b408240f1dd32..07c7f498399433b9ded740124f990d4d6b52fabf 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 1 %global _hardened_build 1 %global _docdir_fmt %{name} @@ -9,7 +9,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF -Version: 10.02.1 +Version: 10.04.0 Release: %{anolis_release}%{?dist} License: AGPLv3+ URL: https://ghostscript.com/ @@ -31,29 +31,8 @@ Provides: ghostscript-core = %{version}-%{release} Obsoletes: ghostscript-core < 9.53.3-6 -Patch0: ghostscript-10.01.0-fix-linkage.patch - -# CVE-2024-29510 -# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-29510 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f -Patch1: Bugfix-for-CVE-2024-29510.patch - -# CVE-2024-33870 -# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33870 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80 -Patch2: Bugfix-for-CVE-2024-33870.patch - -# CVE-2024-33869 -# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33869 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4 -Patch3: Bugfix-for-CVE-2024-33869.patch - -# CVE-2024-33871 -# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33871 -# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 -Patch4: Bugfix-for-CVE-2024-33871.patch - +Patch0: ps2epsi-permit-devices.patch + %description Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files. @@ -248,6 +227,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %changelog +* Mon Jan 13 2025 mgb01105731 - 10.04.0-1 +- to #IAR5N0 , #IBGXKA +- update to 10.04.0 for CVE-2024-46955 CVE-2024-29508 +- Project: TC2024080204 +- Signed-off-by: mgb01105731 mgb01105731@alibaba-inc.com + * Tue Jul 09 2024 lidongyue 10.02.1-2 - Fix CVE-2024-29510 CVE-2024-33870 CVE-2024-33869 CVE-2024-33871 @@ -277,7 +262,7 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ * Mon Jan 23 2023 Funda Wang - 9.56.1-2 - Rebuild for new libpaper -- Only ghostscript uses ijs, so use bundled insted of separated libs. + - Only ghostscript uses ijs, so use bundled insted of separated libs. * Fri Jan 20 2023 Funda Wang - 9.56.1-1 - Import package for anolis 23 diff --git a/ps2epsi-permit-devices.patch b/ps2epsi-permit-devices.patch new file mode 100644 index 0000000000000000000000000000000000000000..7bccbe5f07065f97da69081ce1799934a0003e31 --- /dev/null +++ b/ps2epsi-permit-devices.patch @@ -0,0 +1,12 @@ +diff --git a/lib/ps2epsi b/lib/ps2epsi +index dbfc9fb..0db8959 100755 +--- a/lib/ps2epsi ++++ b/lib/ps2epsi +@@ -42,6 +42,6 @@ fi + + # Note, we expect 'ps2epsi.ps' to be on one of the search paths which can be seen by: gs -h + "$GS_EXECUTABLE" -q -dNOOUTERSAVE -dNODISPLAY -dLastPage=1 -sOutputFile="${outfile}" \ +- --permit-file-all="${infile}" -- ps2epsi.ps "${infile}" 1>&2 ++ --permit-file-all="${infile}" --permit-devices="eps2write:bit" -- ps2epsi.ps "${infile}" 1>&2 + + exit 0