From bbcb6f7ff8403fa5e21c6b1f77edbfba81ad1208 Mon Sep 17 00:00:00 2001 From: liningjie Date: Fri, 25 Oct 2024 12:09:28 +0800 Subject: [PATCH] Fix CVE-2024-46953 (cherry picked from commit 2713d387491bdd992865c8f00f9703cc8572ccb9) --- backport-CVE-2024-46953.patch | 66 +++++++++++++++++++++++++++++++++++ ghostscript.spec | 11 ++++-- 2 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2024-46953.patch diff --git a/backport-CVE-2024-46953.patch b/backport-CVE-2024-46953.patch new file mode 100644 index 0000000..0bd81b6 --- /dev/null +++ b/backport-CVE-2024-46953.patch @@ -0,0 +1,66 @@ +From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 27 May 2024 13:38:36 +0100 +Subject: [PATCH] Bug 707793: Check for overflow validating format string + +for the output file name + +CVE-2024-46953 +--- + base/gsdevice.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/base/gsdevice.c b/base/gsdevice.c +index 90e699ab4..c1eaedd85 100644 +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -1070,7 +1070,7 @@ static int + gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + { + bool have_format = false, field; +- int width[2], int_width = sizeof(int) * 3, w = 0; ++ uint width[2], int_width = sizeof(int) * 3, w = 0; + uint i; + + /* Scan the file name for a format string, and validate it if present. */ +@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + default: /* width (field = 0) and precision (field = 1) */ + if (strchr("0123456789", pfn->fname[i])) { + width[field] = width[field] * 10 + pfn->fname[i] - '0'; ++ if (width[field] > max_int) ++ return_error(gs_error_undefinedfilename); + continue; + } else if (0 == field && '.' == pfn->fname[i]) { + field++; +@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + /* Calculate a conservative maximum width. */ + w = max(width[0], width[1]); + w = max(w, int_width) + 5; ++ if (w > max_int) ++ return_error(gs_error_undefinedfilename); + } +- return w; ++ return (int)w; + } + + /* +@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt, + if (!pfn->fname) + return 0; + code = gx_parse_output_format(pfn, pfmt); +- if (code < 0) ++ if (code < 0) { + return code; +- if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof) ++ } ++ ++ if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) || ++ code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) { + return_error(gs_error_undefinedfilename); ++ } ++ + return 0; + } + +-- +2.34.1 diff --git a/ghostscript.spec b/ghostscript.spec index a6e45c2..02f894b 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.56.1 -Release: 8 +Release: 9 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -64,6 +64,7 @@ Patch116: Bug-707510-fix-LIBIDN-usage.patch # See bug thread for details #This is the second part of the fix for CVE-2024-33869 Patch117: fix-CVE-2024-33869-second.patch +Patch118: backport-CVE-2024-46953.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -149,7 +150,7 @@ PDF files using Ghostscript and dvips %patch115 -p1 %patch116 -p1 %patch117 -p1 - +%patch118 -p1 # Libraries that we already have packaged(see Build Requirements): rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib @@ -243,6 +244,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Fri Oct 25 2024 liningjie - 9.56.1-9 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2024-46953 + * Fri Jul 12 2024 zhangxianting - 9.56.1-8 - Type:CVE - ID:NA -- Gitee