From a16cd73a024ed11badb2502b9c7889931a72406c Mon Sep 17 00:00:00 2001 From: zhangxianting Date: Fri, 12 Jul 2024 18:10:20 +0800 Subject: [PATCH] Fix CVE-2024-29511 --- ...nds-checks-when-using-CIDFont-relate.patch | 3 +- ...e-original-fix-was-overly-aggressive.patch | 215 ++++++++++++++++++ ...ect-OCRLanguage-changes-after-SAFER-.patch | 3 +- ...-allow-PDF-files-with-bad-Filters-to.patch | 3 +- ...707510-don-t-use-strlen-on-passwords.patch | 3 +- Bug-707510-fix-LIBIDN-usage.patch | 3 +- Bug-707510-review-printing-of-pointers.patch | 3 +- ghostscript.spec | 17 +- 8 files changed, 242 insertions(+), 8 deletions(-) create mode 100644 Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch diff --git a/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch b/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch index 47b00d8..808c106 100644 --- a/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch +++ b/Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch @@ -1,8 +1,9 @@ From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Wed, 24 Jan 2024 18:25:12 +0000 -Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related +Subject: [PATCH 3/7] Bug 707510(3): Bounds checks when using CIDFont related params +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514 Specifically, for CIDFont substitution. --- diff --git a/Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch b/Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch new file mode 100644 index 0000000..ab134e7 --- /dev/null +++ b/Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch @@ -0,0 +1,215 @@ +From 638159c43dbb48425a187d244ec288d252d0ecf4 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 31 Jan 2024 14:08:18 +0000 +Subject: [PATCH 6/7] Bug 707510(5)2: The original fix was overly aggressive +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=638159c43dbb48425a187d244ec288d252d0ecf4 + +The way the default OCRLanguage value was set was for the relevant get_params +methods to check if the value had been set, and if not return a default value. +This could result in the first time the put_params seeing that value being after +path control has been enabled, meaning it would throw an invalidaccess error. + +This changes how we set the default: they now uses an init_device method, so +the string is populated from the device's creation. This works correctly for +both the default value, and for values set on the command line. +--- + devices/gdevocr.c | 17 ++++++++++++++++- + devices/gdevpdfocr.c | 28 ++++++++++++++++++++++------ + devices/vector/gdevpdf.c | 15 +++++++++++++++ + devices/vector/gdevpdfp.c | 3 ++- + 4 files changed, 55 insertions(+), 8 deletions(-) + +diff --git a/devices/gdevocr.c b/devices/gdevocr.c +index 7f2c6ea3b..b874525de 100644 +--- a/devices/gdevocr.c ++++ b/devices/gdevocr.c +@@ -30,6 +30,7 @@ + #define X_DPI 72 + #define Y_DPI 72 + ++static dev_proc_initialize_device(ocr_initialize_device); + static dev_proc_print_page(ocr_print_page); + static dev_proc_print_page(hocr_print_page); + static dev_proc_get_params(ocr_get_params); +@@ -55,6 +56,7 @@ ocr_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_gray_bg(dev); + ++ set_dev_proc(dev, initialize_device, ocr_initialize_device); + set_dev_proc(dev, open_device, ocr_open); + set_dev_proc(dev, close_device, ocr_close); + set_dev_proc(dev, get_params, ocr_get_params); +@@ -79,6 +81,7 @@ hocr_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_gray_bg(dev); + ++ set_dev_proc(dev, initialize_device, ocr_initialize_device); + set_dev_proc(dev, open_device, ocr_open); + set_dev_proc(dev, close_device, hocr_close); + set_dev_proc(dev, get_params, ocr_get_params); +@@ -102,6 +105,17 @@ const gx_device_ocr gs_hocr_device = + #define HOCR_HEADER "\n \n" + #define HOCR_TRAILER " \n\n" + ++static int ++ocr_initialize_device(gx_device *dev) ++{ ++ gx_device_ocr *odev = (gx_device_ocr *)dev; ++ const char *default_ocr_lang = "eng"; ++ ++ odev->language[0] = '\0'; ++ strcpy(odev->language, default_ocr_lang); ++ return 0; ++} ++ + static int + ocr_open(gx_device *pdev) + { +@@ -185,7 +199,8 @@ ocr_put_params(gx_device *dev, gs_param_list *plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ if (pdev->memory->gs_lib_ctx->core->path_control_active ++ && (strlen(pdev->language) != langstr.size || memcmp(pdev->language, langstr.data, langstr.size) != 0)) { + return_error(gs_error_invalidaccess); + } + else { +diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c +index 0d3c42d8b..f2bec1b49 100644 +--- a/devices/gdevpdfocr.c ++++ b/devices/gdevpdfocr.c +@@ -33,9 +33,9 @@ + #include "gdevpdfimg.h" + #include "tessocr.h" + +-int pdf_ocr_open(gx_device *pdev); +-int pdf_ocr_close(gx_device *pdev); +- ++static dev_proc_initialize_device(pdf_ocr_initialize_device); ++static dev_proc_open_device(pdf_ocr_open); ++static dev_proc_close_device(pdf_ocr_close); + + static int + pdfocr_put_some_params(gx_device * dev, gs_param_list * plist) +@@ -50,7 +50,8 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist) + + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) { ++ if (pdf_dev->memory->gs_lib_ctx->core->path_control_active ++ && (strlen(pdf_dev->ocr.language) != langstr.size || memcmp(pdf_dev->ocr.language, langstr.data, langstr.size) != 0)) { + return_error(gs_error_invalidaccess); + } + else { +@@ -152,6 +153,8 @@ pdfocr8_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_gray(dev); + ++ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device); ++ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device); + set_dev_proc(dev, open_device, pdf_ocr_open); + set_dev_proc(dev, output_page, gdev_prn_output_page_seekable); + set_dev_proc(dev, close_device, pdf_ocr_close); +@@ -185,6 +188,7 @@ pdfocr24_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_rgb(dev); + ++ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device); + set_dev_proc(dev, open_device, pdf_ocr_open); + set_dev_proc(dev, output_page, gdev_prn_output_page_seekable); + set_dev_proc(dev, close_device, pdf_ocr_close); +@@ -216,6 +220,7 @@ pdfocr32_initialize_device_procs(gx_device *dev) + { + gdev_prn_initialize_device_procs_cmyk8(dev); + ++ set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device); + set_dev_proc(dev, open_device, pdf_ocr_open); + set_dev_proc(dev, output_page, gdev_prn_output_page_seekable); + set_dev_proc(dev, close_device, pdf_ocr_close); +@@ -703,7 +708,18 @@ ocr_end_page(gx_device_pdf_image *dev) + return 0; + } + +-int ++static int ++pdf_ocr_initialize_device(gx_device *dev) ++{ ++ gx_device_pdf_image *ppdev = (gx_device_pdf_image *)dev; ++ const char *default_ocr_lang = "eng"; ++ ++ ppdev->ocr.language[0] = '\0'; ++ strcpy(ppdev->ocr.language, default_ocr_lang); ++ return 0; ++} ++ ++static int + pdf_ocr_open(gx_device *pdev) + { + gx_device_pdf_image *ppdev; +@@ -726,7 +742,7 @@ pdf_ocr_open(gx_device *pdev) + return 0; + } + +-int ++static int + pdf_ocr_close(gx_device *pdev) + { + gx_device_pdf_image *pdf_dev; +diff --git a/devices/vector/gdevpdf.c b/devices/vector/gdevpdf.c +index 6e364d1c7..042e1b4e9 100644 +--- a/devices/vector/gdevpdf.c ++++ b/devices/vector/gdevpdf.c +@@ -215,6 +215,7 @@ device_pdfwrite_finalize(const gs_memory_t *cmem, void *vpdev) + } + + /* Driver procedures */ ++static dev_proc_initialize_device(pdfwrite_initialize_device); + static dev_proc_open_device(pdf_open); + static dev_proc_output_page(pdf_output_page); + static dev_proc_close_device(pdf_close); +@@ -232,6 +233,7 @@ static dev_proc_close_device(pdf_close); + static void + pdfwrite_initialize_device_procs(gx_device *dev) + { ++ set_dev_proc(dev, initialize_device, pdfwrite_initialize_device); + set_dev_proc(dev, open_device, pdf_open); + set_dev_proc(dev, get_initial_matrix, gx_upright_get_initial_matrix); + set_dev_proc(dev, output_page, pdf_output_page); +@@ -777,6 +779,19 @@ pdf_reset_text(gx_device_pdf * pdev) + pdf_reset_text_state(pdev->text); + } + ++static int ++pdfwrite_initialize_device(gx_device *dev) ++{ ++#if OCR_VERSION > 0 ++ gx_device_pdf *pdev = (gx_device_pdf *) dev; ++ const char *default_ocr_lang = "eng"; ++ pdev->ocr_language[0] = '\0'; ++ strcpy(pdev->ocr_language, default_ocr_lang); ++#endif ++ return 0; ++} ++ ++ + /* Open the device. */ + static int + pdf_open(gx_device * dev) +diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c +index 1f7106c0b..1fdfeaef3 100644 +--- a/devices/vector/gdevpdfp.c ++++ b/devices/vector/gdevpdfp.c +@@ -472,7 +472,8 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par + gs_param_string langstr; + switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) { + case 0: +- if (pdev->memory->gs_lib_ctx->core->path_control_active) { ++ if (pdev->memory->gs_lib_ctx->core->path_control_active ++ && (strlen(pdev->ocr_language) != langstr.size || memcmp(pdev->ocr_language, langstr.data, langstr.size) != 0)) { + return_error(gs_error_invalidaccess); + } + else { +-- +2.34.1 + diff --git a/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch b/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch index 68902ea..0e1fa7e 100644 --- a/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch +++ b/Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch @@ -1,8 +1,9 @@ From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Wed, 24 Jan 2024 17:06:01 +0000 -Subject: [PATCH 5/6] Bug 707510(5): Reject OCRLanguage changes after SAFER +Subject: [PATCH 5/7] Bug 707510(5): Reject OCRLanguage changes after SAFER enabled +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3d4cfdc1a44 In the devices that support OCR, OCRLanguage really ought never to be set from PostScript, so reject attempts to change it if path_control_active is true. diff --git a/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch b/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch index a77ed9b..5a3cb56 100644 --- a/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch +++ b/Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch @@ -1,8 +1,9 @@ From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Thu, 25 Jan 2024 11:55:49 +0000 -Subject: [PATCH 2/6] Bug 707510 - don't allow PDF files with bad Filters to +Subject: [PATCH 2/7] Bug 707510 - don't allow PDF files with bad Filters to overflow the debug buffer +http://www.ghostscript.com/cgi-bin/findgit.cgi?77dc7f699beba606937b7ea23b50cf5974fa64b1 Item #2 of the report. diff --git a/Bug-707510-don-t-use-strlen-on-passwords.patch b/Bug-707510-don-t-use-strlen-on-passwords.patch index 8bf2b37..82438e7 100644 --- a/Bug-707510-don-t-use-strlen-on-passwords.patch +++ b/Bug-707510-don-t-use-strlen-on-passwords.patch @@ -1,7 +1,8 @@ From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Thu, 25 Jan 2024 11:58:22 +0000 -Subject: [PATCH 1/6] Bug 707510 - don't use strlen on passwords +Subject: [PATCH 1/7] Bug 707510 - don't use strlen on passwords +http://www.ghostscript.com/cgi-bin/findgit.cgi?917b3a71fb20748965254631199ad98210d6c2fb Item #1 of the report. This looks like an oversight when first coding the routine. We should use the PostScript string length, because diff --git a/Bug-707510-fix-LIBIDN-usage.patch b/Bug-707510-fix-LIBIDN-usage.patch index 74eef9b..9ac8ec2 100644 --- a/Bug-707510-fix-LIBIDN-usage.patch +++ b/Bug-707510-fix-LIBIDN-usage.patch @@ -1,7 +1,8 @@ From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Thu, 25 Jan 2024 12:16:56 +0000 -Subject: [PATCH 6/6] Bug 707510 - fix LIBIDN usage +Subject: [PATCH 7/7] Bug 707510 - fix LIBIDN usage +http://www.ghostscript.com/cgi-bin/findgit.cgi?d99396635f3d6ac6a1168e1af21a669e5c8f695f This wasn't a reported fault, but it bears fixing anyway. diff --git a/Bug-707510-review-printing-of-pointers.patch b/Bug-707510-review-printing-of-pointers.patch index 8e0a445..1b60b93 100644 --- a/Bug-707510-review-printing-of-pointers.patch +++ b/Bug-707510-review-printing-of-pointers.patch @@ -1,7 +1,8 @@ From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Thu, 25 Jan 2024 11:53:44 +0000 -Subject: [PATCH 4/6] Bug 707510 - review printing of pointers +Subject: [PATCH 4/7] Bug 707510 - review printing of pointers +http://www.ghostscript.com/cgi-bin/findgit.cgi?ff1013a0ab485b66783b70145e342a82c670906a This is for item 4 of the report, which is addressed by the change in gdevpdtb.c. That change uses a fixed name for fonts which have no name diff --git a/ghostscript.spec b/ghostscript.spec index 86d6def..e908926 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 10 +Release: 11 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -30,12 +30,19 @@ Patch11: fix-CVE-2024-33870.patch # https://bugs.ghostscript.com/show_bug.cgi?id=707510 # CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511 +# CVE-2024-29509 Patch12: Bug-707510-don-t-use-strlen-on-passwords.patch +# CVE-2024-29506 Patch13: Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch +# CVE-2024-29507 Patch14: Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch +# CVE-2024-29508 Patch15: Bug-707510-review-printing-of-pointers.patch +# CVE-2024-29511 Patch16: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch -Patch17: Bug-707510-fix-LIBIDN-usage.patch +Patch17: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch + +Patch18: Bug-707510-fix-LIBIDN-usage.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -196,6 +203,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Fri Jul 12 2024 zhangxianting - 9.55.0-11 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: This is the second part of the fix for CVE-2024-29511 + * Thu Jul 04 2024 zhangxianting - 9.55.0-10 - Type:CVE - ID:NA -- Gitee