diff --git a/CVE-2023-28879.patch b/CVE-2023-28879.patch new file mode 100644 index 0000000000000000000000000000000000000000..67dfaa6b7590c9fcbbcaa74b17fc4b55c8fcc726 --- /dev/null +++ b/CVE-2023-28879.patch @@ -0,0 +1,41 @@ +From 6d6fae79e016629b6c896463f62e7b1a6e651ed6 Mon Sep 17 00:00:00 2001 +From: liningjie +Date: Thu, 24 Aug 2023 11:36:22 +0800 +Subject: [PATCH] Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- + base/sbcp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/base/sbcp.c b/base/sbcp.c +index 6b0383c..3b8970f 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; +-- +2.27.0 diff --git a/ghostscript.spec b/ghostscript.spec index 7a29fda644fcd1b85f9e84110b92eb6a4f9779fa..6681f8a87b981bd7765322b01661269db66b996f 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.52 -Release: 7 +Release: 8 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -50,6 +50,7 @@ Patch31: backport-Fix-pdfwrite-d-mode-with-file-permissions.patch Patch32: backport-Coverity-361429-move-break-to-correct-place.patch Patch33: backport-CVE-2021-3781-BUg-704342-Include-device-specifier-strings-in-acces.patch Patch34: CVE-2023-38559.patch +Patch35: CVE-2023-28879.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -210,6 +211,11 @@ make check %{_bindir}/dvipdf %changelog +* Tue Sep 5 2023 liningjie - 9.52-8 +- Type:CVE +- ID:CVE-2023-28879 +- SUG:NA + * Tue Aug 15 2023 liningjie - 9.52-7 - Type:CVE - ID:CVE-2023-38559