diff --git a/backport-CVE-2024-46955.patch b/backport-CVE-2024-46955.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb789e7f32c90c870f63989f1d24ab4885acef37 --- /dev/null +++ b/backport-CVE-2024-46955.patch @@ -0,0 +1,59 @@ +From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Fri, 30 Aug 2024 13:11:53 +0100 +Subject: [PATCH] PS interpreter - check Indexed colour space index + +Bug #707990 "Out of bounds read when reading color in "Indexed" color space" + +Check the 'index' is in the valid range (0 to hival) for the colour +space. + +Also a couple of additional checks on the type of the 'proc' for +Indexed, DeviceN and Separation spaces. Make sure these really are +procs in case the user changed the colour space array. + +CVE-2024-46955 +--- + psi/zcolor.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/psi/zcolor.c b/psi/zcolor.c +index c0d73c2..7d15ec7 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -3629,6 +3629,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int + code = array_get(imemory, sepspace, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *esp = proc; + return o_push_estack; + } +@@ -4450,6 +4451,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna + code = array_get(imemory, devicenspace, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *esp = proc; + return o_push_estack; + } +@@ -4865,6 +4867,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, + code = array_get(imemory, space, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *ep = proc; /* lookup proc */ + return o_push_estack; + } else { +@@ -4878,6 +4881,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, + if (!r_has_type(op, t_integer)) + return_error (gs_error_typecheck); + index = op->value.intval; ++ /* Ensure it is in range. See bug #707990 */ ++ if (index < 0 || index > pcs->params.indexed.hival) ++ return_error(gs_error_rangecheck); + /* And remove it from the stack. */ + ref_stack_pop(&o_stack, 1); + op = osp; +-- +2.27.0 diff --git a/ghostscript.spec b/ghostscript.spec index 22eeb35ff7028853d2f8bf9b62d67211b83d1498..ebb2984d71c59ceb3aca234665fe93a9dd724545 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.56.1 -Release: 12 +Release: 13 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -68,6 +68,7 @@ Patch118: backport-CVE-2024-46953.patch Patch119: backport-CVE-2024-46956.patch Patch120: backport-CVE-2024-46951.patch Patch121: backport-CVE-2024-46952.patch +Patch122: backport-CVE-2024-46955.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -157,6 +158,7 @@ PDF files using Ghostscript and dvips %patch119 -p1 %patch120 -p1 %patch121 -p1 +%patch122 -p1 # Libraries that we already have packaged(see Build Requirements): rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib @@ -250,6 +252,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Fri Nov 08 2024 liningjie - 9.56.1-13 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2024-46955 + * Tue Nov 05 2024 liningjie - 9.56.1-12 - Type:CVE - ID:NA