diff --git a/backport-CVE-2025-27830.patch b/backport-CVE-2025-27830.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7bfe22f390e198d0ecbb30cf857bbca02f873f8 --- /dev/null +++ b/backport-CVE-2025-27830.patch @@ -0,0 +1,55 @@ +Backport of: + +From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:15:01 +0000 +Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend + +During serializing a multiple master font for passing to Freetype. + +Use CVE-2025-27830 +--- + base/write_t1.c | 9 +++++---- + psi/zfapi.c | 9 +++++++-- + 2 files changed, 12 insertions(+), 6 deletions(-) + +--- a/base/write_t1.c ++++ b/base/write_t1.c +@@ -454,6 +454,7 @@ write_main_dictionary(gs_fapi_font * a_f + WRF_wbyte(a_fapi_font->memory, a_output, '\n'); + if (is_MM_font(a_fapi_font)) { + short x, x2; ++ unsigned short ux; + float x1; + uint i, j, entries; + char Buffer[255]; +@@ -548,14 +549,14 @@ write_main_dictionary(gs_fapi_font * a_f + * be because the "get_proc" method below was missing the code to handle PS name + * objects. + */ +- if ((x = ++ if ((ux = + a_fapi_font->get_word(a_fapi_font, + gs_fapi_font_feature_DollarBlend_length, + 0)) > 0) { + WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); + + if (a_output->m_count) +- a_output->m_count += x; ++ a_output->m_count += ux; + x = a_fapi_font->get_proc(a_fapi_font, + gs_fapi_font_feature_DollarBlend, 0, + (char *)a_output->m_pos); +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -618,6 +618,10 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa + default: + break; + } ++ ++ if (length > max_ushort) { ++ return 0; ++ } + } + return length; + } diff --git a/ghostscript.spec b/ghostscript.spec index 02167a66fdaf43af96750f070084e8e77403d897..d56c4bd9c9b9b58f45d6d135ffd8a40d5321bb18 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.52 -Release: 21 +Release: 22 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -64,9 +64,10 @@ Patch45: backport-CVE-2024-46953.patch Patch46: backport-CVE-2024-46956.patch Patch47: backport-CVE-2024-46955.patch Patch48: backport-CVE-2024-46951.patch -Patch49: backport-CVE-2025-27832.patch -Patch50: backport-CVE-2025-27835.patch -Patch60: backport-CVE-2025-27836.patch +Patch49: backport-CVE-2025-27830.patch +Patch50: backport-CVE-2025-27832.patch +Patch51: backport-CVE-2025-27835.patch +Patch52: backport-CVE-2025-27836.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -227,6 +228,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Tue Apr 01 2025 Funda Wang - 9.52-22 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2025-27830 + * Thu Mar 27 2025 Funda Wang - 9.52-21 - Type:CVE - ID:NA