packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:86c25bf3f1a8de47c467677aa855c849369dbd53
Branches Tags
packages:main
..
compare: packages:43178ca521d9bae8417473f8522ceb66b324177a
Branches Tags
packages:main

No commits in common. "86c25bf3f1a8de47c467677aa855c849369dbd53" and "43178ca521d9bae8417473f8522ceb66b324177a" have entirely different histories.
86c25bf3f1 ... 43178ca521

9 changed files with 1 additions and 557 deletions
Show Stats Expand all files Collapse all files

141
CVE-2023-36664.patch
View File

@ -1,141 +0,0 @@
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 7 Jun 2023 10:23:06 +0100
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
validation
For regular file names, we try to simplfy relative paths before we use them.
Because the %pipe% device can, effectively, accept command line calls, we
shouldn't be simplifying that string, because the command line syntax can end
up confusing the path simplifying code. That can result in permitting a pipe
command which does not match what was originally permitted.
Special case "%pipe" in the validation code so we always deal with the entire
string.
---
base/gpmisc.c | 31 +++++++++++++++++++--------
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
2 files changed, 64 insertions(+), 23 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 5f39ebba7..2fb87f769 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
-
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
diff --git a/base/gslibctx.c b/base/gslibctx.c
index eb566ed06..d2a1aa91d 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {
--
2.34.1

43
CVE-2023-46751.patch
View File

@ -1,43 +0,0 @@
From 5d2da96e81c7455338302c71a291088a8396245a Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 16 Oct 2023 16:49:40 +0100
Subject: [PATCH] Bug 707264: Fix tiffsep(1) requirement for seekable output
files
In the device initialization redesign, tiffsep and tiffsep1 lost the requirement
for the output files to be seekable.
Fixing that highlighted a problem with the error handling in
gdev_prn_open_printer_seekable() where closing the erroring file would leave a
dangling pointer, and lead to a crash.
---
base/gdevprn.c | 1 +
devices/gdevtsep.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/base/gdevprn.c b/base/gdevprn.c
index 0491a3c6c..033632387 100644
--- a/base/gdevprn.c
+++ b/base/gdevprn.c
@@ -1271,6 +1271,7 @@ gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode,
&& !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
+ ppdev->file = NULL;
if (code < 0)
return code;
}
diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
index 7fd3c5518..f7a1b174b 100644
--- a/devices/gdevtsep.c
+++ b/devices/gdevtsep.c
@@ -737,6 +737,7 @@ tiffsep_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs(dev);
+ set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, open_device, tiffsep_prn_open);
set_dev_proc(dev, close_device, tiffsep_prn_close);
set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);
--
2.34.1

57
backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
View File

@ -1,57 +0,0 @@
From e59216049cac290fb437a04c4f41ea46826cfba5 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Thu, 24 Aug 2023 15:24:35 +0100
Subject: [PATCH 01/44] IJS device - try and secure the IJS server startup
Bug #707051 ""ijs" device can execute arbitrary commands"
The problem is that the 'IJS' device needs to start the IJS server, and
that is indeed an arbitrary command line. There is (apparently) no way
to validate it. Indeed, this is covered quite clearly in the comments
at the start of the source:
* WARNING: The ijs server can be selected on the gs command line
* which is a security risk, since any program can be run.
Previously this used the awful LockSafetyParams hackery, which we
abandoned some time ago because it simply couldn't be made secure (it
was implemented in PostScript and was therefore vulnerable to PostScript
programs).
This commit prevents PostScript programs switching to the IJS device
after SAFER has been activated, and prevents changes to the IjsServer
parameter after SAFER has been activated.
SAFER is activated, unless explicitly disabled, before any user
PostScript is executed which means that the device and the server
invocation can only be configured on the command line. This does at
least provide minimal security against malicious PostScript programs.
---
devices/gdevijs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/devices/gdevijs.c b/devices/gdevijs.c
index 8cbd84b97..16f5a1752 100644
--- a/devices/gdevijs.c
+++ b/devices/gdevijs.c
@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
static const char rgb[] = "DeviceRGB";
gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
+ return_error(gs_error_invalidaccess);
if (!ijsdev->ColorSpace) {
ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
"gsijs_initialize");
@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
if (code >= 0)
code = gsijs_read_string(plist, "IjsServer",
ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
- dev->LockSafetyParams, is_open);
+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
if (code >= 0)
code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
--
2.33.0

43
backport-CVE-2023-46751.patch
View File

@ -1,43 +0,0 @@
From 5d2da96e81c7455338302c71a291088a8396245a Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 16 Oct 2023 16:49:40 +0100
Subject: [PATCH] Bug 707264: Fix tiffsep(1) requirement for seekable output
files
In the device initialization redesign, tiffsep and tiffsep1 lost the requirement
for the output files to be seekable.
Fixing that highlighted a problem with the error handling in
gdev_prn_open_printer_seekable() where closing the erroring file would leave a
dangling pointer, and lead to a crash.
---
base/gdevprn.c | 1 +
devices/gdevtsep.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/base/gdevprn.c b/base/gdevprn.c
index 0491a3c6c..033632387 100644
--- a/base/gdevprn.c
+++ b/base/gdevprn.c
@@ -1271,6 +1271,7 @@ gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode,
&& !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
+ ppdev->file = NULL;
if (code < 0)
return code;
}
diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
index 7fd3c5518..f7a1b174b 100644
--- a/devices/gdevtsep.c
+++ b/devices/gdevtsep.c
@@ -737,6 +737,7 @@ tiffsep_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs(dev);
+ set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, open_device, tiffsep_prn_open);
set_dev_proc(dev, close_device, tiffsep_prn_close);
set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);
--
2.34.1

78
fix-CVE-2024-29510.patch
View File

@ -1,78 +0,0 @@
From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 21 Mar 2024 09:01:15 +0000
Subject: [PATCH] Uniprint device - prevent string configuration changes when SAFER
Bug #707662
We cannot sanitise the string arguments used by the Uniprint device
because they can potentially include anything.
This commit ensures that these strings are locked and cannot be
changed by PostScript once SAFER is activated. Full configuration from
the command line is still possible (see the *.upp files in lib).
This addresses CVE-2024-29510
---
devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index 179c400..7826507 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1887,6 +1887,16 @@ out on this copies.
if(!upd_strings[i]) continue;
UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (strings[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRINGS;
UPD_MM_DEL_PARAM(udev->memory, strings[i]);
if(!value.size) {
@@ -1904,6 +1914,26 @@ out on this copies.
if(!upd_string_a[i]) continue;
UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (string_a[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ int loop;
+ for (loop = 0;loop < string_a[i].size;loop++) {
+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+ if (tmp1->size != tmp2->size)
+ error = gs_error_invalidaccess;
+ else {
+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ }
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRING_A;
UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
if(!value.size) {
@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
if(0 > code) error = code;
}
+exit:
if(0 < error) { /* Actually something loaded without error */
if(!(upd = udev->upd)) {
--
2.27.0

34
fix-CVE-2024-33869.patch
View File

@ -1,34 +0,0 @@
From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Tue, 26 Mar 2024 12:02:57 +0000
Subject: [PATCH] fix CVE-2024-33869
Part 1; when stripping a potential Current Working Dirctory specifier
from a path, make certain it really is a CWD, and not simply large
ebough to be a CWD.
Reasons are in the bug thread, this is not (IMO) serious.
This is part of the fix for CVE-2024-33869
---
base/gpmisc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index f9a9230..f6b8870 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1136,8 +1136,8 @@ gp_validate_path_len(const gs_memory_t *mem,
memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
continue;
}
- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
- buffer = bufferfull + cdirstrl + dirsepstrl;
+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
continue;
}
break;
--
2.27.0

88
fix-CVE-2024-33870.patch
View File

@ -1,88 +0,0 @@
From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Tue, 26 Mar 2024 12:00:14 +0000
Subject: [PATCH] fix CVE-2024-33870
See bug thread for details
In addition to the noted bug; an error path (return from
gp_file_name_reduce not successful) could elad to a memory leak as we
did not free 'bufferfull'. Fix that too.
This addresses CVE-2024-33870
---
base/gpmisc.c | 34 +++++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index f6b8870..cbc6139 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
const uint len,
const char *mode)
{
- char *buffer, *bufferfull;
+ char *buffer, *bufferfull = NULL;
uint rlen;
int code = 0;
const char *cdirstr = gp_file_name_current();
@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem,
return gs_error_VMerror;
buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
buffer[rlen] = 0;
}
while (1) {
@@ -1131,9 +1133,34 @@ gp_validate_path_len(const gs_memory_t *mem,
code = gs_note_error(gs_error_invalidfileaccess);
}
if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
+ uint newlen = rlen + cdirstrl + dirsepstrl;
+ char *newbuffer;
+ int code;
+
buffer = bufferfull;
memcpy(buffer, cdirstr, cdirstrl);
memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
+
+ /* We've prepended a './' or similar for the current working directory. We need
+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
+ * the (new) full path.
+ */
+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
+ if (newbuffer == NULL) {
+ code = gs_note_error(gs_error_VMerror);
+ goto exit;
+ }
+
+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
+ newbuffer[newlen] = 0x00;
+
+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
+ if (code != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+
continue;
}
else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
@@ -1152,6 +1179,7 @@ gp_validate_path_len(const gs_memory_t *mem,
gs_path_control_flag_is_scratch_file);
}
+exit:
gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
#ifdef EACCES
if (code == gs_error_invalidfileaccess)
--
2.27.0

38
fix-cve-2023-52722.patch
View File

@ -1,38 +0,0 @@
From afd7188f74918cb51b5fb89f52b54eb16e8acfd1 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: 2023-09-12 10:46:10 +0100
Subject: [PATCH] In SAFER (default) don't allow eexec seeds other than the Type 1 standard
---
psi/zmisc1.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/psi/zmisc1.c b/psi/zmisc1.c
index 3c47e99..81556ac 100644
--- a/psi/zmisc1.c
+++ b/psi/zmisc1.c
@@ -93,6 +93,9 @@ zexE(i_ctx_t *i_ctx_p)
if (code < 0)
return code;
+ if (gs_is_path_control_active(imemory) != 0 && state.cstate != 55665) {
+ return_error(gs_error_rangecheck);
+ }
return filter_write(i_ctx_p, code, &s_exE_template, (stream_state *)&state, 0);
}
@@ -130,6 +133,11 @@ zexD(i_ctx_t *i_ctx_p)
}
if (code < 0)
return code;
+
+ if (gs_is_path_control_active(imemory) != 0 && state.cstate != 55665) {
+ return_error(gs_error_rangecheck);
+ }
+
/*
* If we're reading a .PFB file, let the filter know about it,
* so it can read recklessly to the end of the binary section.
--
2.43.0

36
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.55.0
Release: 9
Release: 4
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -20,13 +20,6 @@ Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch
Patch2: backport-CVE-2022-2085.patch
Patch3: CVE-2023-38559.patch
Patch4: CVE-2023-28879.patch
Patch5: CVE-2023-36664.patch
Patch6: backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
Patch7: backport-CVE-2023-46751.patch
Patch8: fix-cve-2023-52722.patch
Patch9: fix-CVE-2024-29510.patch
Patch10: fix-CVE-2024-33869.patch
Patch11: fix-CVE-2024-33870.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -187,33 +180,6 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Sun May 26 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-9
- Type:CVE
- ID:NA
- SUG:NA
- DECS: fix CVE-2024-29510 CVE-2024-33869 CVE-2024-33870
* Mon May 6 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-8
- Type:CVE
- ID:NA
- SUG:NA
- DECS: fix CVE-2023-52722
* Mon Dec 25 2023 liningjie <liningjie@xfusion.com> - 9.55.0-7
- Type:CVE
- ID:CVE-2023-46751
- SUG:NA
- DESC:fix CVE-2023-46751
* Fri Sep 22 2023 dillon chen <dillon.chen@gmail.com> - 9.55.0-6
- Type:CVE
- ID:CVE-2023-43115
- SUG:NA
- DESC:fix CVE-2023-43115
* Wed Sep 6 2023 liningjie <liningjie@xfusion.com> - 9.55.0-5
- fix CVE-2023-36664
* Thu Aug 24 2023 liningjie <liningjie@xfusion.com> - 9.55.0-4
- fix CVE-2023-28879