From 538dcf1cd9f3ed57f59ac40f6f3692c1eba0870f Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Tue, 22 Apr 2025 09:30:21 +0800 Subject: [PATCH] [CVE] FIX CVE-2025-27832 to #19781 add patch to fix CVE-2025-27832 Project: TC2024080204 Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> --- bugfix-for-cve-2025-27832.patch | 41 +++++++++++++++++++++++++++++++++ ghostscript.spec | 10 +++++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 bugfix-for-cve-2025-27832.patch diff --git a/bugfix-for-cve-2025-27832.patch b/bugfix-for-cve-2025-27832.patch new file mode 100644 index 0000000..4451a32 --- /dev/null +++ b/bugfix-for-cve-2025-27832.patch @@ -0,0 +1,41 @@ +From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: Bug 708133: Avoid integer overflow leading to buffer overflow + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf..4967282bd 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +cgit v1.2.3 + diff --git a/ghostscript.spec b/ghostscript.spec index e050b78..f79904b 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 %global _hardened_build 1 %global _docdir_fmt %{name} @@ -64,6 +64,11 @@ Patch5: bugfix-for-cve-2025-27830.patch # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=e4db46d7529a Patch6: bugfix-for-cve-2025-27831.patch +# CVE-2025-27832 +# Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708133 +# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=36ac25fca7b +Patch7: bugfix-for-cve-2025-27832.patch + %description Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files. @@ -258,6 +263,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %changelog +* Tue Apr 22 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.02.1-5 +- Fix CVE-2025-27832 + * Thu Apr 17 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.02.1-4 - Fix CVE-2025-27831 -- Gitee