From 8e08a7a98486fb0628b4b041c7ac2bf9fcb0edc9 Mon Sep 17 00:00:00 2001 From: dillon_chen Date: Wed, 2 Aug 2023 17:54:54 +0800 Subject: [PATCH] CVE 28879 36664 38559 --- CVE-2023-28879.patch | 17 +++++++ CVE-2023-36664.patch | 116 +++++++++++++++++++++++++++++++++++++++++++ CVE-2023-38559.patch | 11 ++++ ghostscript.spec | 35 ++++++++++++- 4 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-28879.patch create mode 100644 CVE-2023-36664.patch create mode 100644 CVE-2023-38559.patch diff --git a/CVE-2023-28879.patch b/CVE-2023-28879.patch new file mode 100644 index 0000000..e5711a8 --- /dev/null +++ b/CVE-2023-28879.patch @@ -0,0 +1,17 @@ +--- base/sbcp.c.orig 2020-03-19 09:21:42.000000000 +0100 ++++ base/sbcp.c 2023-04-03 12:36:26.024927229 +0200 +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; diff --git a/CVE-2023-36664.patch b/CVE-2023-36664.patch new file mode 100644 index 0000000..3c1105c --- /dev/null +++ b/CVE-2023-36664.patch @@ -0,0 +1,116 @@ +--- base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200 ++++ base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200 +@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t * + && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { + prefix_len = 0; + } +- rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); +- if (bufferfull == NULL) +- return gs_error_VMerror; + +- buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); ++ if (bufferfull == NULL) ++ return gs_error_VMerror; + ++ buffer = bufferfull + prefix_len; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + while (1) { + switch (mode[0]) + { +--- base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200 ++++ base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200 +@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; +- +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len + 1; ++ ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) +@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; +- +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) { diff --git a/CVE-2023-38559.patch b/CVE-2023-38559.patch new file mode 100644 index 0000000..0454d6a --- /dev/null +++ b/CVE-2023-38559.patch @@ -0,0 +1,11 @@ +--- base/gdevdevn.c.orig 2022-04-04 15:48:49.000000000 +0200 ++++ base/gdevdevn.c 2023-07-26 11:31:03.873226054 +0200 +@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co + byte data = *from; + + from += step; +- if (data != *from || from == end) { ++ if (from >= end || data != *from) { + if (data >= 0xc0) + gp_fputc(0xc1, file); + } else { diff --git a/ghostscript.spec b/ghostscript.spec index e22531a..4a1b33f 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -17,6 +17,29 @@ Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd +# https://bugs.ghostscript.com/show_bug.cgi?id=706494 +# fix CVE-2023-28879 Buffer Overflow in s_xBCPE_process +Patch101: CVE-2023-28879.patch + +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c and +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d +# fix see https://bugs.ghostscript.com/show_bug.cgi?id=706761 +# "OS command injection in %pipe% access" +# and https://bugs.ghostscript.com/show_bug.cgi?id=706778 +# "%pipe% allowed_path bypass" +Patch102: CVE-2023-36664.patch + +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1 +# CVE-2023-38559.patch fix +# "out of bounds read devn_pcx_write_rle() could result in DoS" +# and https://bugs.ghostscript.com/show_bug.cgi?id=706897 +# which is in base/gdevdevn.c the same issue +# "ordering in if expression to avoid out-of-bounds access" +# as the already fixed CVE-2020-16305 in devices/gdevpcx.c +# see https://bugs.ghostscript.com/show_bug.cgi?id=701819 +Patch103: CVE-2023-38559.patch + BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel @@ -82,7 +105,11 @@ This package provides the utility 'dvipdf' for converting of TeX DVI files into PDF files using Ghostscript and dvips %prep -%autosetup -n %{name}-%{version} -p1 +%setup -q -n %{name}-%{version} +%patch0 -p1 +%patch101 -p0 +%patch102 -p0 +%patch103 -p0 # Libraries that we already have packaged(see Build Requirements): rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib @@ -176,6 +203,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Wed Aug 2 2023 dillon chen - 9.56.1-2 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2023-28879 CVE-2023-36664 CVE-2023-38559 + * Mon Jun 20 2022 dillon chen - 9.56.1-1 - update vserion to 9.56.1 -- Gitee