From e1e269b39290eb91793b1145662767b970ca79f0 Mon Sep 17 00:00:00 2001 From: liningjie Date: Fri, 25 Oct 2024 13:56:04 +0800 Subject: [PATCH] Fix CVE-2024-46953 --- backport-CVE-2024-46953.patch | 66 +++++++++++++++++++++++++++++++++++ ghostscript.spec | 9 ++++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-46953.patch diff --git a/backport-CVE-2024-46953.patch b/backport-CVE-2024-46953.patch new file mode 100644 index 0000000..0bd81b6 --- /dev/null +++ b/backport-CVE-2024-46953.patch @@ -0,0 +1,66 @@ +From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 27 May 2024 13:38:36 +0100 +Subject: [PATCH] Bug 707793: Check for overflow validating format string + +for the output file name + +CVE-2024-46953 +--- + base/gsdevice.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/base/gsdevice.c b/base/gsdevice.c +index 90e699ab4..c1eaedd85 100644 +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -1070,7 +1070,7 @@ static int + gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + { + bool have_format = false, field; +- int width[2], int_width = sizeof(int) * 3, w = 0; ++ uint width[2], int_width = sizeof(int) * 3, w = 0; + uint i; + + /* Scan the file name for a format string, and validate it if present. */ +@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + default: /* width (field = 0) and precision (field = 1) */ + if (strchr("0123456789", pfn->fname[i])) { + width[field] = width[field] * 10 + pfn->fname[i] - '0'; ++ if (width[field] > max_int) ++ return_error(gs_error_undefinedfilename); + continue; + } else if (0 == field && '.' == pfn->fname[i]) { + field++; +@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + /* Calculate a conservative maximum width. */ + w = max(width[0], width[1]); + w = max(w, int_width) + 5; ++ if (w > max_int) ++ return_error(gs_error_undefinedfilename); + } +- return w; ++ return (int)w; + } + + /* +@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt, + if (!pfn->fname) + return 0; + code = gx_parse_output_format(pfn, pfmt); +- if (code < 0) ++ if (code < 0) { + return code; +- if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof) ++ } ++ ++ if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) || ++ code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) { + return_error(gs_error_undefinedfilename); ++ } ++ + return 0; + } + +-- +2.34.1 diff --git a/ghostscript.spec b/ghostscript.spec index b4c0504..84358ef 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 12 +Release: 13 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -43,6 +43,7 @@ Patch16: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch Patch17: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch Patch18: Bug-707510-fix-LIBIDN-usage.patch Patch19: fix-CVE-2024-33871.patch +Patch20: backport-CVE-2024-46953.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -203,6 +204,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Fri Oct 25 2024 liningjie - 9.55.0-13 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2024-46953 + * Tue Sep 24 2024 dillon chen - 9.55.0-12 - Type:CVE - ID:NA -- Gitee