diff --git a/CVE-2023-46751.patch b/CVE-2023-46751.patch deleted file mode 100644 index 1e0c31f176192715c0d53289555d53e70f38445b..0000000000000000000000000000000000000000 --- a/CVE-2023-46751.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5d2da96e81c7455338302c71a291088a8396245a Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Mon, 16 Oct 2023 16:49:40 +0100 -Subject: [PATCH] Bug 707264: Fix tiffsep(1) requirement for seekable output - files - -In the device initialization redesign, tiffsep and tiffsep1 lost the requirement -for the output files to be seekable. - -Fixing that highlighted a problem with the error handling in -gdev_prn_open_printer_seekable() where closing the erroring file would leave a -dangling pointer, and lead to a crash. ---- - base/gdevprn.c | 1 + - devices/gdevtsep.c | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/base/gdevprn.c b/base/gdevprn.c -index 0491a3c6c..033632387 100644 ---- a/base/gdevprn.c -+++ b/base/gdevprn.c -@@ -1271,6 +1271,7 @@ gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode, - && !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) { - - code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file); -+ ppdev->file = NULL; - if (code < 0) - return code; - } -diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c -index 7fd3c5518..f7a1b174b 100644 ---- a/devices/gdevtsep.c -+++ b/devices/gdevtsep.c -@@ -737,6 +737,7 @@ tiffsep_initialize_device_procs(gx_device *dev) - { - gdev_prn_initialize_device_procs(dev); - -+ set_dev_proc(dev, output_page, gdev_prn_output_page_seekable); - set_dev_proc(dev, open_device, tiffsep_prn_open); - set_dev_proc(dev, close_device, tiffsep_prn_close); - set_dev_proc(dev, map_color_rgb, tiffsep_decode_color); --- -2.34.1 diff --git a/fix-CVE-2024-33871.patch b/fix-CVE-2024-33871.patch new file mode 100644 index 0000000000000000000000000000000000000000..111871531877c0362dbea73ca1fadf0681ff9f38 --- /dev/null +++ b/fix-CVE-2024-33871.patch @@ -0,0 +1,62 @@ +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index 70475ad..013a497 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int, + static int _get_params(gs_param_list *); + static int opvp_get_params(gx_device *, gs_param_list *); + static int oprp_get_params(gx_device *, gs_param_list *); +-static int _put_params(gs_param_list *); ++static int _put_params(gx_device *, gs_param_list *); + static int opvp_put_params(gx_device *, gs_param_list *); + static int oprp_put_params(gx_device *, gs_param_list *); + static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *, +@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist) + /* vector driver name */ + pname = "Driver"; + vdps.data = (byte *)vectorDriver; +- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0); ++ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0); + vdps.persistent = false; + code = param_write_string(plist, pname, &vdps); + if (code) ecode = code; +@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist) + * put params + */ + static int +-_put_params(gs_param_list *plist) ++_put_params(gx_device *dev, gs_param_list *plist) + { + int code; + int ecode = 0; +@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!vectorDriver || strlen(vectorDriver) != vdps.size ++ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buff[vdps.size] = 0; +@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist) + int code; + + /* put params */ +- code = _put_params(plist); ++ code = _put_params(dev, plist); + if (code) return code; + + /* put default params */ +@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist) + int code; + + /* put params */ +- code = _put_params(plist); ++ code = _put_params(dev, plist); + if (code) return code; + + /* put default params */ diff --git a/ghostscript.spec b/ghostscript.spec index e9089265a4124676d2252107b2691348018de829..b4c05048b6f1d06d3da9c783fa37675c910faf36 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 11 +Release: 12 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -41,8 +41,8 @@ Patch15: Bug-707510-review-printing-of-pointers.patch # CVE-2024-29511 Patch16: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch Patch17: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch - Patch18: Bug-707510-fix-LIBIDN-usage.patch +Patch19: fix-CVE-2024-33871.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -203,6 +203,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Tue Sep 24 2024 dillon chen - 9.55.0-12 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: fix CVE-2024-33871 + * Fri Jul 12 2024 zhangxianting - 9.55.0-11 - Type:CVE - ID:NA