From 7882c7de83b78f863c8910d322fe47b11cd87971 Mon Sep 17 00:00:00 2001
From: dillon_chen <chenqide@kylinos.cn>
Date: Tue, 24 Sep 2024 12:28:06 +0800
Subject: [PATCH 1/2] backport CVE-2024-33871 patch

---
 fix-CVE-2024-33871.patch | 62 ++++++++++++++++++++++++++++++++++++++++
 ghostscript.spec         | 10 +++++--
 2 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 fix-CVE-2024-33871.patch

diff --git a/fix-CVE-2024-33871.patch b/fix-CVE-2024-33871.patch
new file mode 100644
index 0000000..1118715
--- /dev/null
+++ b/fix-CVE-2024-33871.patch
@@ -0,0 +1,62 @@
+diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
+index 70475ad..013a497 100644
+--- a/contrib/opvp/gdevopvp.c
++++ b/contrib/opvp/gdevopvp.c
+@@ -185,7 +185,7 @@ static  int opvp_copy_color(gx_device *, const byte *, int, int,
+ static  int _get_params(gs_param_list *);
+ static  int opvp_get_params(gx_device *, gs_param_list *);
+ static  int oprp_get_params(gx_device *, gs_param_list *);
+-static  int _put_params(gs_param_list *);
++static  int _put_params(gx_device *, gs_param_list *);
+ static  int opvp_put_params(gx_device *, gs_param_list *);
+ static  int oprp_put_params(gx_device *, gs_param_list *);
+ static  int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
+@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist)
+     /* vector driver name */
+     pname = "Driver";
+     vdps.data = (byte *)vectorDriver;
+-    vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
++    vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
+     vdps.persistent = false;
+     code = param_write_string(plist, pname, &vdps);
+     if (code) ecode = code;
+@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
+  * put params
+  */
+ static  int
+-_put_params(gs_param_list *plist)
++_put_params(gx_device *dev, gs_param_list *plist)
+ {
+     int code;
+     int ecode = 0;
+@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist)
+     code = param_read_string(plist, pname, &vdps);
+     switch (code) {
+     case 0:
++        if (gs_is_path_control_active(dev->memory)
++            && (!vectorDriver || strlen(vectorDriver) != vdps.size
++                || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
++            param_signal_error(plist, pname, gs_error_invalidaccess);
++            return_error(gs_error_invalidaccess);
++        }
+         buff = realloc(buff, vdps.size + 1);
+         memcpy(buff, vdps.data, vdps.size);
+         buff[vdps.size] = 0;
+@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
+     int code;
+ 
+     /* put params */
+-    code = _put_params(plist);
++    code = _put_params(dev, plist);
+     if (code) return code;
+ 
+     /* put default params */
+@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
+     int code;
+ 
+     /* put params */
+-    code = _put_params(plist);
++    code = _put_params(dev, plist);
+     if (code) return code;
+ 
+     /* put default params */
diff --git a/ghostscript.spec b/ghostscript.spec
index e908926..b4c0504 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.55.0
-Release:          11
+Release:          12
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -41,8 +41,8 @@ Patch15:  Bug-707510-review-printing-of-pointers.patch
 # CVE-2024-29511
 Patch16:  Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
 Patch17:  Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch
-
 Patch18:  Bug-707510-fix-LIBIDN-usage.patch
+Patch19:  fix-CVE-2024-33871.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -203,6 +203,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
+* Tue Sep 24 2024 dillon chen <dillon.chen@gmail.com> - 9.55.0-12
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: fix CVE-2024-33871
+
 * Fri Jul 12 2024 zhangxianting <zhangxianting@uniontech.com> - 9.55.0-11
 - Type:CVE
 - ID:NA
-- 
Gitee


From 8a1a44cd72eb956c5cc520aa1f1c33dfd03a108d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=99=88=E6=A3=8B=E5=BE=B7?= <chenqide@kylinos.cn>
Date: Tue, 24 Sep 2024 07:17:20 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20CVE-?=
 =?UTF-8?q?2023-46751.patch?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CVE-2023-46751.patch | 43 -------------------------------------------
 1 file changed, 43 deletions(-)
 delete mode 100644 CVE-2023-46751.patch

diff --git a/CVE-2023-46751.patch b/CVE-2023-46751.patch
deleted file mode 100644
index 1e0c31f..0000000
--- a/CVE-2023-46751.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 5d2da96e81c7455338302c71a291088a8396245a Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Mon, 16 Oct 2023 16:49:40 +0100
-Subject: [PATCH] Bug 707264: Fix tiffsep(1) requirement for seekable output
- files
-
-In the device initialization redesign, tiffsep and tiffsep1 lost the requirement
-for the output files to be seekable.
-
-Fixing that highlighted a problem with the error handling in
-gdev_prn_open_printer_seekable() where closing the erroring file would leave a
-dangling pointer, and lead to a crash.
----
- base/gdevprn.c     | 1 +
- devices/gdevtsep.c | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/base/gdevprn.c b/base/gdevprn.c
-index 0491a3c6c..033632387 100644
---- a/base/gdevprn.c
-+++ b/base/gdevprn.c
-@@ -1271,6 +1271,7 @@ gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode,
-               && !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
- 
-                 code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
-+                ppdev->file = NULL;
-                 if (code < 0)
-                     return code;
-             }
-diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
-index 7fd3c5518..f7a1b174b 100644
---- a/devices/gdevtsep.c
-+++ b/devices/gdevtsep.c
-@@ -737,6 +737,7 @@ tiffsep_initialize_device_procs(gx_device *dev)
- {
-     gdev_prn_initialize_device_procs(dev);
- 
-+    set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
-     set_dev_proc(dev, open_device, tiffsep_prn_open);
-     set_dev_proc(dev, close_device, tiffsep_prn_close);
-     set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);
--- 
-2.34.1
-- 
Gitee