From f8c91d5f6a63541b4915500c26627aa3d3eeaf86 Mon Sep 17 00:00:00 2001
From: xuchenchen <xuchenchen@kylinos.cn>
Date: Mon, 27 May 2024 09:26:00 +0800
Subject: [PATCH] fix CVE-2024-29510 CVE-2024-33869 CVE-2024-33870

---
 fix-CVE-2024-29510.patch | 78 +++++++++++++++++++++++++++++++++++
 fix-CVE-2024-33869.patch | 34 ++++++++++++++++
 fix-CVE-2024-33870.patch | 88 ++++++++++++++++++++++++++++++++++++++++
 ghostscript.spec         | 11 ++++-
 4 files changed, 210 insertions(+), 1 deletion(-)
 create mode 100644 fix-CVE-2024-29510.patch
 create mode 100644 fix-CVE-2024-33869.patch
 create mode 100644 fix-CVE-2024-33870.patch

diff --git a/fix-CVE-2024-29510.patch b/fix-CVE-2024-29510.patch
new file mode 100644
index 0000000..5c6f25f
--- /dev/null
+++ b/fix-CVE-2024-29510.patch
@@ -0,0 +1,78 @@
+From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 21 Mar 2024 09:01:15 +0000
+Subject: [PATCH] Uniprint device - prevent string configuration changes when SAFER
+
+Bug #707662
+
+We cannot sanitise the string arguments used by the Uniprint device
+because they can potentially include anything.
+
+This commit ensures that these strings are locked and cannot be
+changed by PostScript once SAFER is activated. Full configuration from
+the command line is still possible (see the *.upp files in lib).
+
+This addresses CVE-2024-29510
+---
+ devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/devices/gdevupd.c b/devices/gdevupd.c
+index 179c400..7826507 100644
+--- a/devices/gdevupd.c
++++ b/devices/gdevupd.c
+@@ -1887,6 +1887,16 @@ out on this copies.
+       if(!upd_strings[i]) continue;
+       UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
+       if(0 == code) {
++        if (gs_is_path_control_active(udev->memory)) {
++            if (strings[i].size != value.size)
++              error = gs_error_invalidaccess;
++            else {
++                if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
++                    error = gs_error_invalidaccess;
++            }
++            if (error < 0)
++                goto exit;
++        }
+          if(0 <= error) error |= UPD_PUT_STRINGS;
+          UPD_MM_DEL_PARAM(udev->memory, strings[i]);
+          if(!value.size) {
+@@ -1904,6 +1914,26 @@ out on this copies.
+       if(!upd_string_a[i]) continue;
+       UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
+       if(0 == code) {
++          if (gs_is_path_control_active(udev->memory)) {
++              if (string_a[i].size != value.size)
++                  error = gs_error_invalidaccess;
++              else {
++                  int loop;
++                  for (loop = 0;loop < string_a[i].size;loop++) {
++                      gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
++                      gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
++
++                      if (tmp1->size != tmp2->size)
++                          error = gs_error_invalidaccess;
++                      else {
++                          if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
++                              error = gs_error_invalidaccess;
++                      }
++                  }
++              }
++            if (error < 0)
++                goto exit;
++          }
+          if(0 <= error) error |= UPD_PUT_STRING_A;
+          UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
+          if(!value.size) {
+@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
+       if(0 > code) error = code;
+    }
+ 
++exit:
+    if(0 < error) { /* Actually something loaded without error */
+ 
+       if(!(upd = udev->upd)) {
+-- 
+2.27.0
+
diff --git a/fix-CVE-2024-33869.patch b/fix-CVE-2024-33869.patch
new file mode 100644
index 0000000..94cd8cb
--- /dev/null
+++ b/fix-CVE-2024-33869.patch
@@ -0,0 +1,34 @@
+From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 26 Mar 2024 12:02:57 +0000
+Subject: [PATCH] fix CVE-2024-33869
+
+Part 1; when stripping a potential Current Working Dirctory specifier
+from a path, make certain it really is a CWD, and not simply large
+ebough to be a CWD.
+
+Reasons are in the bug thread, this is not (IMO) serious.
+
+This is part of the fix for CVE-2024-33869
+---
+ base/gpmisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index f9a9230..f6b8870 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1136,8 +1136,8 @@ gp_validate_path_len(const gs_memory_t *mem,
+             memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
+             continue;
+         }
+-        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
+-            buffer = bufferfull + cdirstrl + dirsepstrl;
++        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
++            && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
+             continue;
+         }
+         break;
+-- 
+2.27.0
+
diff --git a/fix-CVE-2024-33870.patch b/fix-CVE-2024-33870.patch
new file mode 100644
index 0000000..c74461f
--- /dev/null
+++ b/fix-CVE-2024-33870.patch
@@ -0,0 +1,88 @@
+From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 26 Mar 2024 12:00:14 +0000
+Subject: [PATCH] fix CVE-2024-33870
+
+See bug thread for details
+
+In addition to the noted bug; an error path (return from
+gp_file_name_reduce not successful) could elad to a memory leak as we
+did not free 'bufferfull'. Fix that too.
+
+This addresses CVE-2024-33870
+---
+ base/gpmisc.c | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 98096a1..a3714fc 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1012,7 +1012,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+                  const uint         len,
+                  const char        *mode)
+ {
+-    char *buffer, *bufferfull;
++    char *buffer, *bufferfull = NULL;
+     uint rlen;
+     int code = 0;
+     const char *cdirstr = gp_file_name_current();
+@@ -1065,8 +1065,10 @@ gp_validate_path_len(const gs_memory_t *mem,
+             return gs_error_VMerror;
+ 
+         buffer = bufferfull + prefix_len;
+-        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-            return gs_error_invalidfileaccess;
++        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
++            code = gs_note_error(gs_error_invalidfileaccess);
++            goto exit;
++        }
+         buffer[rlen] = 0;
+     }
+     while (1) {
+@@ -1094,9 +1096,34 @@ gp_validate_path_len(const gs_memory_t *mem,
+             code = gs_note_error(gs_error_invalidfileaccess);
+         }
+         if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
++            uint newlen = rlen + cdirstrl + dirsepstrl;
++            char *newbuffer;
++            int code;
++
+             buffer = bufferfull;
+             memcpy(buffer, cdirstr, cdirstrl);
+             memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
++
++            /* We've prepended a './' or similar for the current working directory. We need
++             * to execute file_name_reduce on that, to eliminate any '../' or similar from
++             * the (new) full path.
++             */
++            newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
++            if (newbuffer == NULL) {
++                code = gs_note_error(gs_error_VMerror);
++                goto exit;
++            }
++
++            memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
++            newbuffer[newlen] = 0x00;
++
++            code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
++            gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
++            if (code != gp_combine_success) {
++                code = gs_note_error(gs_error_invalidfileaccess);
++                goto exit;
++            }
++
+             continue;
+         }
+         else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+@@ -1106,6 +1133,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+         break;
+     }
+ 
++exit:
+     gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path");
+ #ifdef EACCES
+     if (code == gs_error_invalidfileaccess)
+-- 
+2.23.0
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 67c08f8..5e637d4 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.52
-Release:          11
+Release:          12
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -54,6 +54,9 @@ Patch35: CVE-2023-28879.patch
 Patch36: CVE-2023-36664.patch
 Patch37: backport-CVE-2023-46751.patch
 Patch38: CVE-2020-36773.patch
+Patch39:  fix-CVE-2024-29510.patch
+Patch40:  fix-CVE-2024-33869.patch
+Patch41:  fix-CVE-2024-33870.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -214,6 +217,12 @@ make check
 %{_bindir}/dvipdf
 
 %changelog
+* Sun May 26 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.52-12
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: fix CVE-2024-29510 CVE-2024-33869 CVE-2024-33870
+
 * Mon Apr 15 2024 GuoCe <guoce@kylinos.cn> - 9.52-11
 - Type:CVE
 - ID:CVE-2020-36773
-- 
Gitee