From 6d6efe5fbc559b232a38f9d49092c55ae715aec9 Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Fri, 23 May 2025 20:20:24 +0800
Subject: [PATCH] Fix CVE-2025-48708

(cherry picked from commit 432ec25c559f544794a40d69d82e1669eeb24e89)
---
 backport-CVE-2025-48708.patch | 41 +++++++++++++++++++++++++++++++++++
 ghostscript.spec              |  9 +++++++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-48708.patch

diff --git a/backport-CVE-2025-48708.patch b/backport-CVE-2025-48708.patch
new file mode 100644
index 0000000..bea7230
--- /dev/null
+++ b/backport-CVE-2025-48708.patch
@@ -0,0 +1,41 @@
+From b587663c623b4462f9e78686a31fd880207303ee Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Sat, 12 Apr 2025 10:24:43 +0100
+Subject: Argument sanitisation - handle '#' as per '='
+
+Bug 708446
+---
+ base/gslibctx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 2cf5c9dda..f8d55de18 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -1225,9 +1225,9 @@ gs_lib_ctx_stash_sanitized_arg(gs_lib_ctx_t *ctx, const char *arg)
+         case '-': /* Need to check for permitted file lists */
+             /* By default, we want to keep the key, but lose the value */
+             p = arg+2;
+-            while (*p && *p != '=')
++            while (*p && *p != '=' && *p != '#')
+                 p++;
+-            if (*p == '=')
++            if (*p == '=' || *p == '#')
+                 p++;
+             if (*p == 0)
+                 break; /* No value to elide */
+@@ -1269,9 +1269,9 @@ gs_lib_ctx_stash_sanitized_arg(gs_lib_ctx_t *ctx, const char *arg)
+         case 'S':
+             /* By default, we want to keep the key, but lose the value */
+             p = arg+2;
+-            while (*p && *p != '=')
++            while (*p && *p != '=' && *p != '#')
+                 p++;
+-            if (*p == '=')
++            if (*p == '=' || *p == '#')
+                 p++;
+             if (*p == 0)
+                 break; /* No value to elide */
+-- 
+cgit v1.2.3
+
diff --git a/ghostscript.spec b/ghostscript.spec
index f6c9d86..d10511a 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.56.1
-Release:          16
+Release:          17
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -77,6 +77,7 @@ Patch127:   backport-CVE-2025-27834.patch
 Patch128:   backport-CVE-2025-27835.patch
 Patch129:   backport-CVE-2025-27836.patch
 Patch130:   Add-CJK-Chinese-font-mappings.patch
+Patch131:   backport-CVE-2025-48708.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -237,6 +238,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
+* Fri May 23 2025 Funda Wang <fundawang@yeah.net> - 9.56.1-17
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2025-48708
+
 * Tue Apr 01 2025 Funda Wang <fundawang@yeah.net> - 9.56.1-16
 - Type:CVE
 - ID:NA
-- 
Gitee