From 28dd0d8c44a95d9fd50325dca7a3156e04db149b Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Tue, 20 May 2025 13:48:27 +0800 Subject: [PATCH] [CVE]update to ghostscript-9.54.0-19 to #IC92ED update to ghostscript-9.54.0-19 for CVE-2025-27832 Project: TC2024080204 Signed-off-by: Jacob Wang --- ...-integer-overflow-leading-to-buffer-.patch | 41 +++++++++++++++++++ ghostscript.spec | 10 +++-- 2 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch diff --git a/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch b/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch new file mode 100644 index 0000000..09f9b86 --- /dev/null +++ b/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch @@ -0,0 +1,41 @@ +From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: [PATCH] Bug 708133: Avoid integer overflow leading to buffer overflow + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf..4967282bd 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +2.49.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 0823638..08993b7 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # # Important notes regarding the package: # ====================================== @@ -43,7 +42,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.54.0 -Release: 18%{anolis_release}%{?dist} +Release: 19%{?dist} License: AGPLv3+ @@ -139,6 +138,9 @@ Patch020: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch # RHEL-67053 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3 Patch021: 0001-PostScript-interpreter-fix-buffer-length-check.patch +# RHEL-88966 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow +# https://github.com/ArtifexSoftware/ghostpdl/commit/57291c84633 +Patch022: 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -472,8 +474,8 @@ done # ============================================================================= %changelog -* Wed May 14 2025 Zhao Hang 9.54.0-18.0.1 -- Bump for Anolis OS +* Wed May 07 2025 Zdenek Dohnal - 9.54.0-19 +- RHEL-88966 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow * Tue Apr 15 2025 Zdenek Dohnal - 9.54.0-18 - RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable() -- Gitee