diff --git a/bugfix-for-cve-2025-27830.patch b/bugfix-for-cve-2025-27830.patch new file mode 100644 index 0000000000000000000000000000000000000000..b705a4a709cca28dff9b5adcba2a1704a433dd2c --- /dev/null +++ b/bugfix-for-cve-2025-27830.patch @@ -0,0 +1,81 @@ +From dc17ab3fe8cd43eeaf3f2da9bcaa30a2be69e57b Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:15:01 +0000 +Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend + +During serializing a multiple master font for passing to Freetype. + +Use CVE-2025-27830 +--- + base/write_t1.c | 9 +++++---- + psi/zfapi.c | 9 +++++++-- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/base/write_t1.c b/base/write_t1.c +index 1faaeb583..6b4482d04 100644 +--- a/base/write_t1.c ++++ b/base/write_t1.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2025 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri + WRF_wbyte(a_fapi_font->memory, a_output, '\n'); + if (is_MM_font(a_fapi_font)) { + short x, x2; ++ unsigned short ux; + float x1; + uint i, j, entries; + char Buffer[255]; +@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri + */ + code = a_fapi_font->get_word(a_fapi_font, + gs_fapi_font_feature_DollarBlend_length, +- 0, (unsigned short *)&x); ++ 0, &ux); + if (code < 0) + return code; + +- if (x > 0) { ++ if (ux > 0) { + int len; + WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); + + if (a_output->m_count) +- a_output->m_count += x; ++ a_output->m_count += ux; + len = a_fapi_font->get_proc(a_fapi_font, + gs_fapi_font_feature_DollarBlend, 0, + (char *)a_output->m_pos); +diff --git a/psi/zfapi.c b/psi/zfapi.c +index fc6141d6b..fc342a81e 100644 +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -689,7 +689,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig + /* When reading the real proc, we add a space between each entry */ + length++; + if (array_get(ff->memory, DBlend, i, &Element) < 0) { +- *ret = 0; ++ length = 0; + break; + } + switch (r_btype(&Element)) { +@@ -716,7 +716,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig + default: + break; + } +- } ++ ++ if (length > max_ushort) { ++ length = 0; ++ break; ++ } ++ } + *ret = length; + break; + } +-- +cgit v1.2.3 + diff --git a/ghostscript.spec b/ghostscript.spec index 41b53d4bc8e1bbd2c227ae26efc094c5cb5fa80b..4160415fe75287e8e4ef45ba66bbb7fb66648d69 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %global _hardened_build 1 %global _docdir_fmt %{name} @@ -53,7 +53,12 @@ Patch3: Bugfix-for-CVE-2024-33869.patch # Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-33871 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 Patch4: Bugfix-for-CVE-2024-33871.patch - + +# CVE-2025-27830 +# Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708241 +# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=dc17ab3fe8c +Patch5: bugfix-for-cve-2025-27830.patch + %description Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files. @@ -248,6 +253,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %changelog +* Tue Apr 15 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.02.1-4 +- Fix CVE-2025-27830 + * Mon Mar 17 2025 Zhao Hang - 10.02.1-3 - Update jbig2dec requires version