packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-28879

Browse Source 
(cherry picked from commit 0db73b54a7ff85c6cc304b71d80c268f9e66e441)
This commit is contained in:
liningjie 2023-08-24 11:01:16 +08:00 committed by openeuler-sync-bot
parent c4d2c0d2ef
commit 165b163e5b
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
CVE-2023-28879.patch Normal file
View File

@ -0,0 +1,49 @@
From 5fc0b03188397142c61437e8ec68eb947abebf58 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Mar 2023 13:19:57 +0000
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
Bug #706494 "Buffer Overflow in s_xBCPE_process"
As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.
This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).
Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
base/sbcp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/base/sbcp.c b/base/sbcp.c
index 979ae0992..47fc233ec 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2021 Artifex Software, Inc.
+/* Copyright (C) 2001-2023 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;
--
2.34.1

6
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript Name: ghostscript
Version: 9.55.0 Version: 9.55.0
Release: 3 Release: 4
Summary: An interpreter for PostScript and PDF files Summary: An interpreter for PostScript and PDF files
License: AGPLv3+ License: AGPLv3+
URL: https://ghostscript.com/ URL: https://ghostscript.com/
@ -19,6 +19,7 @@ Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch
Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch
Patch2: backport-CVE-2022-2085.patch Patch2: backport-CVE-2022-2085.patch
Patch3: CVE-2023-38559.patch Patch3: CVE-2023-38559.patch
Patch4: CVE-2023-28879.patch
BuildRequires: automake gcc BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -179,6 +180,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf %{_bindir}/dvipdf
%changelog %changelog
* Thu Aug 24 2023 liningjie <liningjie@xfusion.com> - 9.55.0-4
- fix CVE-2023-28879
* Tue Aug 15 2023 liningjie <liningjie@xfusion.com> - 9.55.0-3 * Tue Aug 15 2023 liningjie <liningjie@xfusion.com> - 9.55.0-3
- fix CVE-2023-38559 - fix CVE-2023-38559