From 0db73b54a7ff85c6cc304b71d80c268f9e66e441 Mon Sep 17 00:00:00 2001 From: liningjie Date: Thu, 24 Aug 2023 11:01:16 +0800 Subject: [PATCH] fix CVE-2023-28879 --- CVE-2023-28879.patch | 49 ++++++++++++++++++++++++++++++++++++++++++++ ghostscript.spec | 6 +++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-28879.patch diff --git a/CVE-2023-28879.patch b/CVE-2023-28879.patch new file mode 100644 index 0000000..3223963 --- /dev/null +++ b/CVE-2023-28879.patch @@ -0,0 +1,49 @@ +From 5fc0b03188397142c61437e8ec68eb947abebf58 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Fri, 24 Mar 2023 13:19:57 +0000 +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- + base/sbcp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/base/sbcp.c b/base/sbcp.c +index 979ae0992..47fc233ec 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2021 Artifex Software, Inc. ++/* Copyright (C) 2001-2023 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; +-- +2.34.1 diff --git a/ghostscript.spec b/ghostscript.spec index 0567801..df1bbbe 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 3 +Release: 4 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -19,6 +19,7 @@ Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch Patch2: backport-CVE-2022-2085.patch Patch3: CVE-2023-38559.patch +Patch4: CVE-2023-28879.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -179,6 +180,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Thu Aug 24 2023 liningjie - 9.55.0-4 +- fix CVE-2023-28879 + * Tue Aug 15 2023 liningjie - 9.55.0-3 - fix CVE-2023-38559 -- Gitee