diff --git a/backport-CVE-2024-46951.patch b/backport-CVE-2024-46951.patch new file mode 100644 index 0000000000000000000000000000000000000000..926c0aa3723aab6b40f93e17dbd07f2b12161fbc --- /dev/null +++ b/backport-CVE-2024-46951.patch @@ -0,0 +1,31 @@ +From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Fri, 30 Aug 2024 13:16:39 +0100 +Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation + +Bug #707991 + +See bug report for details. + +CVE-2024-46951 +--- + psi/zcolor.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/psi/zcolor.c b/psi/zcolor.c +index d4e7a4438..d3384d75d 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n) + code = array_get(imemory, pImpl, 0, &pPatInst); + if (code < 0) + return code; ++ ++ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance))) ++ return_error(gs_error_typecheck); + cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t); + if (pattern_instance_uses_base_space(cc.pattern)) + *n = n_comps; +-- +2.34.1 + diff --git a/backport-CVE-2024-46952.patch b/backport-CVE-2024-46952.patch new file mode 100644 index 0000000000000000000000000000000000000000..e4ff84c0c5244afb2c78ea02629fb880a169bd96 --- /dev/null +++ b/backport-CVE-2024-46952.patch @@ -0,0 +1,61 @@ +From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 2 Sep 2024 15:14:01 +0100 +Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams + +Bug #708001 "Buffer overflow in PDF XRef stream" + +See bug report. I've chosen to fix this by checking the values in the +W array; these can (currently at least) only have certain relatively +small values. + +As a future proofing fix I've also updated field_size in +pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger +than required, but matches the W array values and so prevents the +mismatch which could lead to a buffer overrun. + +CVE-2024-46952 +--- + pdf/pdf_xref.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c +index 7e61113..ad45852 100644 +--- a/pdf/pdf_xref.c ++++ b/pdf/pdf_xref.c +@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size) + static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W) + { + uint i, j; +- uint field_width = 0; ++ uint64_t field_width = 0; + uint32_t type = 0; + uint64_t objnum = 0, gen = 0; + byte *Buffer; +@@ -297,6 +297,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd + } + pdfi_countdown(a); + ++ /* W[0] is either: ++ * 0 (no type field) or a single byte with the type. ++ * W[1] is either: ++ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored. ++ * W[2] is either: ++ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream. ++ * ++ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually ++ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number. ++ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits. ++ */ ++ if (W[0] > 1 || W[1] > 8 || W[2] > 8) { ++ pdfi_close_file(ctx, XRefStrm); ++ pdfi_countdown(ctx->xref_table); ++ ctx->xref_table = NULL; ++ return code; ++ } ++ + code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a); + if (code == gs_error_undefined) { + code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W); +-- +2.43.0 diff --git a/ghostscript.spec b/ghostscript.spec index 014801b8eab6768cc5e59d8a2774496b8a2adb77..ebb2984d71c59ceb3aca234665fe93a9dd724545 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.56.1 -Release: 11 +Release: 13 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -66,7 +66,9 @@ Patch116: Bug-707510-fix-LIBIDN-usage.patch Patch117: fix-CVE-2024-33869-second.patch Patch118: backport-CVE-2024-46953.patch Patch119: backport-CVE-2024-46956.patch -Patch120: backport-CVE-2024-46955.patch +Patch120: backport-CVE-2024-46951.patch +Patch121: backport-CVE-2024-46952.patch +Patch122: backport-CVE-2024-46955.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -155,6 +157,8 @@ PDF files using Ghostscript and dvips %patch118 -p1 %patch119 -p1 %patch120 -p1 +%patch121 -p1 +%patch122 -p1 # Libraries that we already have packaged(see Build Requirements): rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib @@ -248,13 +252,25 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog -* Wed Oct 30 2024 liningjie - 9.56.1-11 +* Fri Nov 08 2024 liningjie - 9.56.1-13 - Type:CVE - ID:NA - SUG:NA - DECS: Fix CVE-2024-46955 -* Tue Oct 29 2024 liningjie - 9.56.1-10 +* Tue Nov 05 2024 liningjie - 9.56.1-12 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2024-46952 + +* Fri Nov 01 2024 liningjie - 9.56.1-11 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2024-46951 + +* Fri Oct 25 2024 liningjie - 9.56.1-10 - Type:CVE - ID:NA - SUG:NA