From 98a29d5f3b68ccbb5d3a7836c626f17f93de53f1 Mon Sep 17 00:00:00 2001
From: qz_cx <wangqingzheng@kylinos.cn>
Date: Fri, 10 May 2024 14:05:54 +0800
Subject: [PATCH] fix CVE-2024-33871

---
 CVE-2024-33871.patch | 38 ++++++++++++++++++++++++++++++++++++++
 ghostscript.spec     | 10 +++++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-33871.patch

diff --git a/CVE-2024-33871.patch b/CVE-2024-33871.patch
new file mode 100644
index 0000000..71aa596
--- /dev/null
+++ b/CVE-2024-33871.patch
@@ -0,0 +1,38 @@
+From 7145885041bb52cc23964f0aa2aec1b1c82b5908 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 22 Apr 2024 13:33:47 +0100
+Subject: OPVP device - prevent unsafe parameter change with SAFER
+
+Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library"
+
+The "Driver" parameter for the "opvp"/"oprp" device specifies the name
+of a dynamic library and allows any library to be loaded.
+
+The patch does not allow changing this parameter after activating path
+control.
+
+This addresses CVE-2024-33871
+---
+ contrib/opvp/gdevopvp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
+index 74200cf9d..80eb23b17 100644
+--- a/contrib/opvp/gdevopvp.c
++++ b/contrib/opvp/gdevopvp.c
+@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
+     code = param_read_string(plist, pname, &vdps);
+     switch (code) {
+     case 0:
++        if (gs_is_path_control_active(dev->memory)
++            && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
++                || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
++            param_signal_error(plist, pname, gs_error_invalidaccess);
++            return_error(gs_error_invalidaccess);
++        }
+         buff = realloc(buff, vdps.size + 1);
+         memcpy(buff, vdps.data, vdps.size);
+         buff[vdps.size] = 0;
+-- 
+cgit v1.2.3
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 9e33626..77267a0 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.56.1
-Release:          4
+Release:          5
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -41,6 +41,7 @@ Patch102:  CVE-2023-36664.patch
 Patch103:  CVE-2023-38559.patch
 Patch104:  backport-CVE-2023-46751.patch
 Patch105:  fix-cve-2023-52722.patch
+Patch106:  CVE-2024-33871.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -114,6 +115,7 @@ PDF files using Ghostscript and dvips
 %patch103 -p0
 %patch104 -p1
 %patch105 -p1
+%patch106 -p1
 
 # Libraries that we already have packaged(see Build Requirements):
 rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
@@ -207,6 +209,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
+* Fri May 10 2024 qz_cx wangqingzheng@kylinos.cn - 9.56.1-5
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC: fix CVE-2024-33871
+
 * Sun Apr 28 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.56.1-4 
 - Type:CVE
 - ID:NA
-- 
Gitee