packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-33871

Browse Source
This commit is contained in:
dillon_chen 2024-09-24 15:42:30 +08:00
parent aab56fda7e
commit 23dbabfe92
3 changed files with 70 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
CVE-2023-46751.patch
View File

@ -1,43 +0,0 @@
From 5d2da96e81c7455338302c71a291088a8396245a Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 16 Oct 2023 16:49:40 +0100
Subject: [PATCH] Bug 707264: Fix tiffsep(1) requirement for seekable output
files
In the device initialization redesign, tiffsep and tiffsep1 lost the requirement
for the output files to be seekable.
Fixing that highlighted a problem with the error handling in
gdev_prn_open_printer_seekable() where closing the erroring file would leave a
dangling pointer, and lead to a crash.
---
base/gdevprn.c | 1 +
devices/gdevtsep.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/base/gdevprn.c b/base/gdevprn.c
index 0491a3c6c..033632387 100644
--- a/base/gdevprn.c
+++ b/base/gdevprn.c
@@ -1271,6 +1271,7 @@ gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode,
&& !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
+ ppdev->file = NULL;
if (code < 0)
return code;
}
diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
index 7fd3c5518..f7a1b174b 100644
--- a/devices/gdevtsep.c
+++ b/devices/gdevtsep.c
@@ -737,6 +737,7 @@ tiffsep_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs(dev);
+ set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, open_device, tiffsep_prn_open);
set_dev_proc(dev, close_device, tiffsep_prn_close);
set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);
--
2.34.1

62
fix-CVE-2024-33871.patch Normal file
View File

@ -0,0 +1,62 @@
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 70475ad..013a497 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int,
static int _get_params(gs_param_list *);
static int opvp_get_params(gx_device *, gs_param_list *);
static int oprp_get_params(gx_device *, gs_param_list *);
-static int _put_params(gs_param_list *);
+static int _put_params(gx_device *, gs_param_list *);
static int opvp_put_params(gx_device *, gs_param_list *);
static int oprp_put_params(gx_device *, gs_param_list *);
static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *,
@@ -3043,7 +3043,7 @@ _get_params(gs_param_list *plist)
/* vector driver name */
pname = "Driver";
vdps.data = (byte *)vectorDriver;
- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0);
+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0);
vdps.persistent = false;
code = param_write_string(plist, pname, &vdps);
if (code) ecode = code;
@@ -3180,7 +3180,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist)
* put params
*/
static int
-_put_params(gs_param_list *plist)
+_put_params(gx_device *dev, gs_param_list *plist)
{
int code;
int ecode = 0;
@@ -3202,6 +3202,12 @@ _put_params(gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (gs_is_path_control_active(dev->memory)
+ && (!vectorDriver || strlen(vectorDriver) != vdps.size
+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;
@@ -3403,7 +3409,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */
@@ -3419,7 +3425,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist)
int code;
/* put params */
- code = _put_params(plist);
+ code = _put_params(dev, plist);
if (code) return code;
/* put default params */

10
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript Name: ghostscript
Version: 9.55.0 Version: 9.55.0
Release: 11 Release: 12
Summary: An interpreter for PostScript and PDF files Summary: An interpreter for PostScript and PDF files
License: AGPLv3+ License: AGPLv3+
URL: https://ghostscript.com/ URL: https://ghostscript.com/
@ -41,8 +41,8 @@ Patch15: Bug-707510-review-printing-of-pointers.patch
# CVE-2024-29511 # CVE-2024-29511
Patch16: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch Patch16: Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
Patch17: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch Patch17: Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch
Patch18: Bug-707510-fix-LIBIDN-usage.patch Patch18: Bug-707510-fix-LIBIDN-usage.patch
Patch19: fix-CVE-2024-33871.patch
BuildRequires: automake gcc BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -203,6 +203,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf %{_bindir}/dvipdf
%changelog %changelog
* Tue Sep 24 2024 dillon chen <dillon.chen@gmail.com> - 9.55.0-12
- Type:CVE
- ID:NA
- SUG:NA
- DECS: fix CVE-2024-33871
* Fri Jul 12 2024 zhangxianting <zhangxianting@uniontech.com> - 9.55.0-11 * Fri Jul 12 2024 zhangxianting <zhangxianting@uniontech.com> - 9.55.0-11
- Type:CVE - Type:CVE
- ID:NA - ID:NA