diff --git a/backport-CVE-2024-46955.patch b/backport-CVE-2024-46955.patch new file mode 100644 index 0000000000000000000000000000000000000000..528b36db792272beba07470fa140917da934b1b3 --- /dev/null +++ b/backport-CVE-2024-46955.patch @@ -0,0 +1,60 @@ +From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Fri, 30 Aug 2024 13:11:53 +0100 +Subject: [PATCH] PS interpreter - check Indexed colour space index + +Bug #707990 "Out of bounds read when reading color in "Indexed" color space" + +Check the 'index' is in the valid range (0 to hival) for the colour +space. + +Also a couple of additional checks on the type of the 'proc' for +Indexed, DeviceN and Separation spaces. Make sure these really are +procs in case the user changed the colour space array. + +CVE-2024-46955 +--- + psi/zcolor.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/psi/zcolor.c b/psi/zcolor.c +index 373bc06..7c00033 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -3635,6 +3635,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int + code = array_get(imemory, sepspace, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *esp = proc; + return o_push_estack; + } +@@ -4457,6 +4458,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna + code = array_get(imemory, devicenspace, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *esp = proc; + return o_push_estack; + } +@@ -4872,6 +4874,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, + code = array_get(imemory, space, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *ep = proc; /* lookup proc */ + return o_push_estack; + } else { +@@ -4885,6 +4888,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, + if (!r_has_type(op, t_integer)) + return_error (gs_error_typecheck); + index = op->value.intval; ++ /* Ensure it is in range. See bug #707990 */ ++ if (index < 0 || index > pcs->params.indexed.hival) ++ return_error(gs_error_rangecheck); + /* And remove it from the stack. */ + pop(1); + op = osp; +-- +2.33.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 2998844f997f4aef49e4668346ee3e892b77661a..5317a9b9f058509354f3deed3f95d1b87b242e14 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.52 -Release: 18 +Release: 19 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -62,6 +62,7 @@ Patch43: backport-CVE-2024-29508.patch Patch44: fix-CVE-2024-33871.patch Patch45: backport-CVE-2024-46953.patch Patch46: backport-CVE-2024-46956.patch +Patch47: backport-CVE-2024-46955.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -222,6 +223,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Wed Oct 30 2024 liningjie - 9.52-19 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2024-46955 + * Fri Oct 25 2024 liningjie - 9.52-18 - Type:CVE - ID:NA