diff --git a/1-bugfix-for-CVE-2025-59799.patch b/1-bugfix-for-CVE-2025-59799.patch deleted file mode 100644 index 304faa4865791bcded2195a4b640d3d89ca3aeb5..0000000000000000000000000000000000000000 --- a/1-bugfix-for-CVE-2025-59799.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001 -From: Piotr Kajda -Date: Thu, 8 May 2025 11:37:09 +0100 -Subject: [PATCH] pdfwrite - bounds check some strings - -Bug #708517 - -This differs very slightly from the proposed patch in the bug report, I -had a quick scout through the C file and found another similar case. - -Both fixed here. ---- - devices/vector/gdevpdfm.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c -index 5aa3644e2e..4b1d7d89c3 100644 ---- a/devices/vector/gdevpdfm.c -+++ b/devices/vector/gdevpdfm.c -@@ -200,6 +200,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING]) - { - const byte *data = dstr->data; - uint size = dstr->size; -+ if (size > MAX_DEST_STRING) -+ return_error(gs_error_limitcheck); - if (size == 0 || data[0] != '(') - return 0; - /****** HANDLE ESCAPES ******/ -@@ -868,6 +870,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd, - char buf[30]; - int d0, d1; - -+ if (Action[1].size > 29) -+ return_error(gs_error_rangecheck); - memcpy(buf, Action[1].data, Action[1].size); - buf[Action[1].size] = 0; - if (sscanf(buf, "%d %d R", &d0, &d1) == 2) diff --git a/2-bugfix-for-CVE-2025-59798.patch b/2-bugfix-for-CVE-2025-59798.patch deleted file mode 100644 index 5a023016af751bbbd80f7d8ca8cbf94501690dc9..0000000000000000000000000000000000000000 --- a/2-bugfix-for-CVE-2025-59798.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 Mon Sep 17 00:00:00 2001 -From: Ken Sharp -Date: Thu, 22 May 2025 12:25:41 +0100 -Subject: [PATCH] pdfwrite - avoid buffer overrun - -Bug #708539 "Buffer overflow in pdf_write_cmap" - -The proposed fix in the report solves the buffer overrun, but does not -tackle a number of other problems. - -This commit checks the result of stream_puts() in -pdf_write_cid_system_info_to_stream() and correctly signals an error to -the caller if that fails. - -In pdf_write_cid_system_info we replace a (rather small!) fixed size -buffer with a dynamically allocated one using the lengths of the strings -which pdf_write_cid_system_info_to_stream() will write, and a small -fixed overhead to deal with the keys and initial byte '/'. - -Because 'buf' is used in the stream 's', if it is too small to hold all -the CIDSystemInfo then we would get an error which was simply discarded -previously. - -We now should avoid the potential error by ensuring the buffer is large -enough for all the information, and if we do get an error we no longer -silently ignore it, which would write an invalid PDF file. ---- - devices/vector/gdevpdtw.c | 52 ++++++++++++++++++++++++++++++--------- - 1 file changed, 41 insertions(+), 11 deletions(-) - -diff --git a/devices/vector/gdevpdtw.c b/devices/vector/gdevpdtw.c -index ced15c9b2b..fe24dd73ac 100644 ---- a/devices/vector/gdevpdtw.c -+++ b/devices/vector/gdevpdtw.c -@@ -703,7 +703,8 @@ static int - pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s, - const gs_cid_system_info_t *pcidsi, gs_id object_id) - { -- byte *Registry, *Ordering; -+ byte *Registry = NULL, *Ordering = NULL; -+ int code = 0; - - Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry"); - if (!Registry) -@@ -734,14 +735,19 @@ pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s, - } - s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size); - } -- stream_puts(s, "<<\n/Registry"); -+ code = stream_puts(s, "<<\n/Registry"); -+ if (code < 0) -+ goto error; - s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK); -- stream_puts(s, "\n/Ordering"); -+ code = stream_puts(s, "\n/Ordering"); -+ if(code < 0) -+ goto error; - s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK); -+error: - pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement); - gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer"); - gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer"); -- return 0; -+ return code; - } - - int -@@ -786,31 +792,55 @@ pdf_write_cmap(gx_device_pdf *pdev, const gs_cmap_t *pcmap, - *ppres = writer.pres; - writer.pres->where_used = 0; /* CMap isn't a PDF resource. */ - if (!pcmap->ToUnicode) { -- byte buf[200]; -+ byte *buf = NULL; -+ uint64_t buflen = 0; - cos_dict_t *pcd = (cos_dict_t *)writer.pres->object; - stream s; - -+ /* We use 'buf' for the stream 's' below and that needs to have some extra -+ * space for the CIDSystemInfo. We also need an extra byte for the leading '/' -+ * 100 bytes is ample for the overhead. -+ */ -+ buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100; -+ if (buflen > max_uint) -+ return_error(gs_error_limitcheck); -+ -+ buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap"); -+ if (buf == NULL) -+ return_error(gs_error_VMerror); -+ - code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode); -- if (code < 0) -+ if (code < 0) { -+ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); - return code; -+ } - buf[0] = '/'; - memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size); - code = cos_dict_put_c_key_string(pcd, "/CMapName", - buf, pcmap->CMapName.size + 1); -- if (code < 0) -+ if (code < 0) { -+ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); - return code; -+ } - s_init(&s, pdev->memory); -- swrite_string(&s, buf, sizeof(buf)); -+ swrite_string(&s, buf, buflen); - code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0); -- if (code < 0) -+ if (code < 0) { -+ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); - return code; -+ } - code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo", - buf, stell(&s)); -- if (code < 0) -+ if (code < 0) { -+ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); - return code; -+ } - code = cos_dict_put_string_copy(pcd, "/Type", "/CMap"); -- if (code < 0) -+ if (code < 0) { -+ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); - return code; -+ } -+ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); - } - if (pcmap->CMapName.size == 0) { - /* Create an arbitrary name (for ToUnicode CMap). */ diff --git a/3-bugfix-for-CVE-2025-59800.patch b/3-bugfix-for-CVE-2025-59800.patch deleted file mode 100644 index 696f7c28266be52870096c0cfd083409458a5dd3..0000000000000000000000000000000000000000 --- a/3-bugfix-for-CVE-2025-59800.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001 -From: Ken Sharp -Date: Tue, 1 Jul 2025 10:31:17 +0100 -Subject: [PATCH] PDF OCR 8 bit device - avoid overflow - -Bug 708602 "Heap overflow in ocr_line8" - -Make sure the calculation of the required raster size does not overflow -an int. ---- - devices/gdevpdfocr.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c -index f27dc11db0..6362f41041 100644 ---- a/devices/gdevpdfocr.c -+++ b/devices/gdevpdfocr.c -@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image *dev, void *row) - static int - ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp) - { -- int raster = (w+3)&~3; -+ int64_t raster = (w + 3) & ~3; - -- dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page"); -+ raster = raster * (int64_t)h; -+ if (raster < 0 || raster > max_size_t) -+ return gs_note_error(gs_error_VMerror); -+ dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page"); - if (dev->ocr.data == NULL) - return_error(gs_error_VMerror); - dev->ocr.w = w; diff --git a/4-bugfix-for-CVE-2025-7462.patch b/4-bugfix-for-CVE-2025-7462.patch deleted file mode 100644 index 27d6f6cfbed234460281033cabfff08f4aaec3b2..0000000000000000000000000000000000000000 --- a/4-bugfix-for-CVE-2025-7462.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 619a106ba4c4abed95110f84d5efcd7aee38c7cb Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Wed, 25 Jun 2025 13:23:41 +0100 -Subject: Bug 708606: Catch a null file pointer closing pdfwrite. - -In the event of an error opening a new output file. ---- - devices/vector/gdevpdf.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/devices/vector/gdevpdf.c b/devices/vector/gdevpdf.c -index e75f33a6c..d7d5e8c6b 100644 ---- a/devices/vector/gdevpdf.c -+++ b/devices/vector/gdevpdf.c -@@ -983,7 +983,10 @@ pdf_ferror(gx_device_pdf *pdev) - { - int code = 0; - -- gp_fflush(pdev->file); -+ if (pdev->file != NULL) { -+ gp_fflush(pdev->file); -+ code = gp_ferror(pdev->file); -+ } - gp_fflush(pdev->xref.file); - if (pdev->strm->file != NULL) - sflush(pdev->strm); -@@ -992,12 +995,13 @@ pdf_ferror(gx_device_pdf *pdev) - if (pdev->streams.strm->file != NULL) - sflush(pdev->streams.strm); - if (pdev->ObjStm.strm != NULL && pdev->ObjStm.strm->file != NULL) { -+ int code2; - sflush(pdev->ObjStm.strm); -- code = gp_ferror(pdev->ObjStm.file); -+ code2 = gp_ferror(pdev->ObjStm.file); -+ if (code >= 0) code = code2; - } -- return gp_ferror(pdev->file) || gp_ferror(pdev->xref.file) || -- gp_ferror(pdev->asides.file) || gp_ferror(pdev->streams.file) || -- code; -+ return gp_ferror(pdev->xref.file) || gp_ferror(pdev->asides.file) || -+ gp_ferror(pdev->streams.file) || code; - } - - /* Compute the dominant text orientation of a page. */ --- -cgit v1.2.3 - diff --git a/ghostscript-10.05.1.tar.xz b/ghostscript-10.06.0.tar.xz similarity index 83% rename from ghostscript-10.05.1.tar.xz rename to ghostscript-10.06.0.tar.xz index 60ed4881ec9a5bd56426841eea93d542c9486a89..bd801db15ee63433fb296ab2337b8f68b768f49b 100644 Binary files a/ghostscript-10.05.1.tar.xz and b/ghostscript-10.06.0.tar.xz differ diff --git a/ghostscript.spec b/ghostscript.spec index 932a024af1b7b6183184d2468e1e3fc4e7414efc..59892d20ebae1c193527cfc934a22850e4c30de6 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 1 %global _hardened_build 1 %global _docdir_fmt %{name} @@ -9,7 +9,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF -Version: 10.05.1 +Version: 10.06.0 Release: %{anolis_release}%{?dist} License: AGPLv3+ URL: https://ghostscript.com/ @@ -33,17 +33,6 @@ Obsoletes: ghostscript-core < 9.53.3-6 Patch0: ghostscript-10.01.0-fix-linkage.patch -# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=6dab38fb211f15226c242ab7a83fa53e4b0ff781.patch -Patch1: 1-bugfix-for-CVE-2025-59799.patch - -# https://github.com/ArtifexSoftware/ghostpdl/commit/0cae41b23a9669e801211dd4cf97b6dadd6dbdd7.patch -Patch2: 2-bugfix-for-CVE-2025-59798.patch - -# https://github.com/ArtifexSoftware/ghostpdl/commit/176cf0188a2294bc307b8caec876f39412e58350.patch -Patch3: 3-bugfix-for-CVE-2025-59800.patch -# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=619a106ba4c4abed95110f84d5efcd7aee38c7cb -Patch4: 4-bugfix-for-CVE-2025-7462.patch - %description Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files. @@ -237,6 +226,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %changelog +* Fri Dec 26 2025 lzq11122 - 10.06.0-1 +- Update to 10.06.0 fix CVE-2025-59801 + * Mon Dec 1 2025 wh02252983 - 10.05.1-5 - Add patch to fix CVE-2025-7462