diff --git a/fix-CVE-2024-29510.patch b/fix-CVE-2024-29510.patch new file mode 100644 index 0000000000000000000000000000000000000000..5c6f25fafb72a506ebb1c2d821be6989a5e5d3b0 --- /dev/null +++ b/fix-CVE-2024-29510.patch @@ -0,0 +1,78 @@ +From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 21 Mar 2024 09:01:15 +0000 +Subject: [PATCH] Uniprint device - prevent string configuration changes when SAFER + +Bug #707662 + +We cannot sanitise the string arguments used by the Uniprint device +because they can potentially include anything. + +This commit ensures that these strings are locked and cannot be +changed by PostScript once SAFER is activated. Full configuration from +the command line is still possible (see the *.upp files in lib). + +This addresses CVE-2024-29510 +--- + devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index 179c400..7826507 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1887,6 +1887,16 @@ out on this copies. + if(!upd_strings[i]) continue; + UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (strings[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRINGS; + UPD_MM_DEL_PARAM(udev->memory, strings[i]); + if(!value.size) { +@@ -1904,6 +1914,26 @@ out on this copies. + if(!upd_string_a[i]) continue; + UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (string_a[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ int loop; ++ for (loop = 0;loop < string_a[i].size;loop++) { ++ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]); ++ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop]; ++ ++ if (tmp1->size != tmp2->size) ++ error = gs_error_invalidaccess; ++ else { ++ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ } ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRING_A; + UPD_MM_DEL_APARAM(udev->memory, string_a[i]); + if(!value.size) { +@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may + if(0 > code) error = code; + } + ++exit: + if(0 < error) { /* Actually something loaded without error */ + + if(!(upd = udev->upd)) { +-- +2.27.0 + diff --git a/fix-CVE-2024-33869.patch b/fix-CVE-2024-33869.patch new file mode 100644 index 0000000000000000000000000000000000000000..94cd8cb0ce60369d4c74f6117d6593f2b881c54e --- /dev/null +++ b/fix-CVE-2024-33869.patch @@ -0,0 +1,34 @@ +From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Tue, 26 Mar 2024 12:02:57 +0000 +Subject: [PATCH] fix CVE-2024-33869 + +Part 1; when stripping a potential Current Working Dirctory specifier +from a path, make certain it really is a CWD, and not simply large +ebough to be a CWD. + +Reasons are in the bug thread, this is not (IMO) serious. + +This is part of the fix for CVE-2024-33869 +--- + base/gpmisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index f9a9230..f6b8870 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1136,8 +1136,8 @@ gp_validate_path_len(const gs_memory_t *mem, + memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); + continue; + } +- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +- buffer = bufferfull + cdirstrl + dirsepstrl; ++ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull ++ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) { + continue; + } + break; +-- +2.27.0 + diff --git a/fix-CVE-2024-33870.patch b/fix-CVE-2024-33870.patch new file mode 100644 index 0000000000000000000000000000000000000000..f2f093b5e941b9716d35ef44fe50731dbdaca159 --- /dev/null +++ b/fix-CVE-2024-33870.patch @@ -0,0 +1,88 @@ +From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Tue, 26 Mar 2024 12:00:14 +0000 +Subject: [PATCH] fix CVE-2024-33870 + +See bug thread for details + +In addition to the noted bug; an error path (return from +gp_file_name_reduce not successful) could elad to a memory leak as we +did not free 'bufferfull'. Fix that too. + +This addresses CVE-2024-33870 +--- + base/gpmisc.c | 34 +++++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index f6b8870..cbc6139 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, + const uint len, + const char *mode) + { +- char *buffer, *bufferfull; ++ char *buffer, *bufferfull = NULL; + uint rlen; + int code = 0; + const char *cdirstr = gp_file_name_current(); +@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem, + return gs_error_VMerror; + + buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } + buffer[rlen] = 0; + } + while (1) { +@@ -1131,9 +1133,34 @@ gp_validate_path_len(const gs_memory_t *mem, + code = gs_note_error(gs_error_invalidfileaccess); + } + if (code < 0 && prefix_len > 0 && buffer > bufferfull) { ++ uint newlen = rlen + cdirstrl + dirsepstrl; ++ char *newbuffer; ++ int code; ++ + buffer = bufferfull; + memcpy(buffer, cdirstr, cdirstrl); + memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); ++ ++ /* We've prepended a './' or similar for the current working directory. We need ++ * to execute file_name_reduce on that, to eliminate any '../' or similar from ++ * the (new) full path. ++ */ ++ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); ++ if (newbuffer == NULL) { ++ code = gs_note_error(gs_error_VMerror); ++ goto exit; ++ } ++ ++ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); ++ newbuffer[newlen] = 0x00; ++ ++ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); ++ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); ++ if (code != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ + continue; + } + else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull +@@ -1152,6 +1179,7 @@ gp_validate_path_len(const gs_memory_t *mem, + gs_path_control_flag_is_scratch_file); + } + ++exit: + gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); + #ifdef EACCES + if (code == gs_error_invalidfileaccess) +-- +2.27.0 + diff --git a/fix-CVE-2024-33871.patch b/fix-CVE-2024-33871.patch new file mode 100644 index 0000000000000000000000000000000000000000..86c637613086ebddcbe9e8b236da4c7dedc29e4c --- /dev/null +++ b/fix-CVE-2024-33871.patch @@ -0,0 +1,38 @@ +From 7145885041bb52cc23964f0aa2aec1b1c82b5908 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 22 Apr 2024 13:33:47 +0100 +Subject: OPVP device - prevent unsafe parameter change with SAFER + +Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library" + +The "Driver" parameter for the "opvp"/"oprp" device specifies the name +of a dynamic library and allows any library to be loaded. + +The patch does not allow changing this parameter after activating path +control. + +This addresses CVE-2024-33871 +--- + contrib/opvp/gdevopvp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index 5f20cac..327152d 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size ++ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buff[vdps.size] = 0; +-- +2.27.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 9e3362693d161bf00d53fd281950cad9af65afc5..c0e7fab89626fc7f6a9ce3e6baa25f74793a2621 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.56.1 -Release: 4 +Release: 5 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -41,6 +41,10 @@ Patch102: CVE-2023-36664.patch Patch103: CVE-2023-38559.patch Patch104: backport-CVE-2023-46751.patch Patch105: fix-cve-2023-52722.patch +Patch106: fix-CVE-2024-29510.patch +Patch107: fix-CVE-2024-33869.patch +Patch108: fix-CVE-2024-33870.patch +Patch109: fix-CVE-2024-33871.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -114,6 +118,10 @@ PDF files using Ghostscript and dvips %patch103 -p0 %patch104 -p1 %patch105 -p1 +%patch106 -p1 +%patch107 -p1 +%patch108 -p1 +%patch109 -p1 # Libraries that we already have packaged(see Build Requirements): rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib @@ -207,6 +215,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Fri May 10 2024 xuchenchen - 9.56.1-5 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: fix CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871 + * Sun Apr 28 2024 xuchenchen - 9.56.1-4 - Type:CVE - ID:NA