ghostscript: fix CVE-2021-3781

(From OE-Core rev: c9c5254345249b8a2c53e80cec3c469ca6fc1099) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2022-03-17 15:32:44 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-03-22 22:18:56 +0000
commit: 984de2b68a0e95abbad1c99e55f4fcf77088544a (patch)
tree: 701187d66ab4d287a9a53a426e43697dcfa6d3b8
parent: 630d754ea3d7206976b1e0f4489e054cdbc08fe8 (diff)
download: poky-984de2b68a0e95abbad1c99e55f4fcf77088544a.tar.gz
2 files changed, 237 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch
new file mode 100644
index 0000000000..27ef83bb85
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch
@@ -0,0 +1,236 @@
+From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 7 Sep 2021 20:36:12 +0100
+Subject: [PATCH] Bug 704342: Include device specifier strings in access
+ validation
+for the "%pipe%", %handle%" and %printer% io devices.
+We previously validated only the part after the "%pipe%" Postscript device
+specifier, but this proved insufficient.
+This rebuilds the original file name string, and validates it complete. The
+slight complication for "%pipe%" is it can be reached implicitly using
+"|" so we have to check both prefixes.
+Addresses CVE-2021-3781
+Upstream-Status: Backport[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20]
+CVE: CVE-2021-3781
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ base/gdevpipe.c | 22 +++++++++++++++-
+ base/gp_mshdl.c | 11 +++++++-
+ base/gp_msprn.c | 10 ++++++-
+ base/gp_os2pr.c | 13 +++++++++-
+ base/gslibctx.c | 69 ++++++++++---------------------------------------
+ 5 files changed, 65 insertions(+), 60 deletions(-)
+diff --git a/base/gdevpipe.c b/base/gdevpipe.c
+index 96d71f5d8..5bdc485be 100644
+--- a/base/gdevpipe.c
+++ b/base/gdevpipe.c
+@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ #else
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    /* The pipe device can be reached in two ways, explicltly with %pipe%
+       or implicitly with "|", so we have to check for both
+     */
+    char f[gp_file_name_sizeof];
+    const char *pipestr = "|";
+    const size_t pipestrlen = strlen(pipestr);
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+    int code1;
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    code1 = gp_validate_path(mem, f, access);
+
+    memcpy(f, pipestr, pipestrlen);
+    memcpy(f + pipestrlen, fname, nlen + 1);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
+         return gs_error_invalidfileaccess;
+ 
+     /*
+diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
+index 2b964ed74..8d87ceadc 100644
+--- a/base/gp_mshdl.c
+++ b/base/gp_mshdl.c
+@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     long hfile;        /* Correct for Win32, may be wrong for Win64 */
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    char f[gp_file_name_sizeof];
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, f, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_handle method. */
+diff --git a/base/gp_msprn.c b/base/gp_msprn.c
+index ed4827968..746a974f7 100644
+--- a/base/gp_msprn.c
+++ b/base/gp_msprn.c
+@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(pname, iodev->dname, preflen);
+    memcpy(pname + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, pname, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
+index f852c71fc..ba54cde66 100644
+--- a/base/gp_os2pr.c
+++ b/base/gp_os2pr.c
+@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+            FILE ** pfile, char *rfname, uint rnamelen)
+ {
+     os2_printer_t *pr = (os2_printer_t *)iodev->state;
+-    char driver_name[256];
+    char driver_name[gp_file_name_sizeof];
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const int size_t = strlen(fname);
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(driver_name, iodev->dname, preflen);
+    memcpy(driver_name + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, driver_name, access) != 0)
+        return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+     /* Note that the loop condition here ensures we don't
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 6dfed6cd5..318039fad 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
+ int
+ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+     rewrite_percent_specifiers(f);
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_add_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_add_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_add_control_path(mem, gs_permit_file_control, fp);
+
+    code = gs_add_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_add_control_path(mem, gs_permit_file_writing, fp);
+    return gs_add_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_remove_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+    rewrite_percent_specifiers(f);
+
+    code = gs_remove_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+    return gs_remove_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
index d4442a4908..28d064a1a8 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://avoid-host-contamination.patch \
                file://mkdir-p.patch \
                file://CVE-2021-45949.patch \
+                file://CVE-2021-3781.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Chee Yang Lee <chee.yang.lee@intel.com>	2022-03-17 15:32:44 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-03-22 22:18:56 +0000
commit	984de2b68a0e95abbad1c99e55f4fcf77088544a (patch)
tree	701187d66ab4d287a9a53a426e43697dcfa6d3b8
parent	630d754ea3d7206976b1e0f4489e054cdbc08fe8 (diff)
download	poky-984de2b68a0e95abbad1c99e55f4fcf77088544a.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch new file mode 100644 index 0000000000..27ef83bb85 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch
@@ -0,0 +1,236 @@
		1	From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Tue, 7 Sep 2021 20:36:12 +0100
		4	Subject: [PATCH] Bug 704342: Include device specifier strings in access
		5	validation
		6
		7	for the "%pipe%", %handle%" and %printer% io devices.
		8
		9	We previously validated only the part after the "%pipe%" Postscript device
		10	specifier, but this proved insufficient.
		11
		12	This rebuilds the original file name string, and validates it complete. The
		13	slight complication for "%pipe%" is it can be reached implicitly using
		14	"\|" so we have to check both prefixes.
		15
		16	Addresses CVE-2021-3781
		17
		18	Upstream-Status: Backport[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20]
		19	CVE: CVE-2021-3781
		20	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		21	---
		22	base/gdevpipe.c \| 22 +++++++++++++++-
		23	base/gp_mshdl.c \| 11 +++++++-
		24	base/gp_msprn.c \| 10 ++++++-
		25	base/gp_os2pr.c \| 13 +++++++++-
		26	base/gslibctx.c \| 69 ++++++++++---------------------------------------
		27	5 files changed, 65 insertions(+), 60 deletions(-)
		28
		29	diff --git a/base/gdevpipe.c b/base/gdevpipe.c
		30	index 96d71f5d8..5bdc485be 100644
		31	--- a/base/gdevpipe.c
		32	+++ b/base/gdevpipe.c
		33	@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char fname, const char access,
		34	#else
		35	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		36	gs_fs_list_t *fs = ctx->core->fs;
		37	+ /* The pipe device can be reached in two ways, explicltly with %pipe%
		38	+ or implicitly with "\|", so we have to check for both
		39	+ */
		40	+ char f[gp_file_name_sizeof];
		41	+ const char *pipestr = "\|";
		42	+ const size_t pipestrlen = strlen(pipestr);
		43	+ const size_t preflen = strlen(iodev->dname);
		44	+ const size_t nlen = strlen(fname);
		45	+ int code1;
		46	+
		47	+ if (preflen + nlen >= gp_file_name_sizeof)
		48	+ return_error(gs_error_invalidaccess);
		49	+
		50	+ memcpy(f, iodev->dname, preflen);
		51	+ memcpy(f + preflen, fname, nlen + 1);
		52	+
		53	+ code1 = gp_validate_path(mem, f, access);
		54	+
		55	+ memcpy(f, pipestr, pipestrlen);
		56	+ memcpy(f + pipestrlen, fname, nlen + 1);
		57
		58	- if (gp_validate_path(mem, fname, access) != 0)
		59	+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
		60	return gs_error_invalidfileaccess;
		61
		62	/*
		63	diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
		64	index 2b964ed74..8d87ceadc 100644
		65	--- a/base/gp_mshdl.c
		66	+++ b/base/gp_mshdl.c
		67	@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char fname, const char access,
		68	long hfile; /* Correct for Win32, may be wrong for Win64 */
		69	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		70	gs_fs_list_t *fs = ctx->core->fs;
		71	+ char f[gp_file_name_sizeof];
		72	+ const size_t preflen = strlen(iodev->dname);
		73	+ const size_t nlen = strlen(fname);
		74
		75	- if (gp_validate_path(mem, fname, access) != 0)
		76	+ if (preflen + nlen >= gp_file_name_sizeof)
		77	+ return_error(gs_error_invalidaccess);
		78	+
		79	+ memcpy(f, iodev->dname, preflen);
		80	+ memcpy(f + preflen, fname, nlen + 1);
		81	+
		82	+ if (gp_validate_path(mem, f, access) != 0)
		83	return gs_error_invalidfileaccess;
		84
		85	/* First we try the open_handle method. */
		86	diff --git a/base/gp_msprn.c b/base/gp_msprn.c
		87	index ed4827968..746a974f7 100644
		88	--- a/base/gp_msprn.c
		89	+++ b/base/gp_msprn.c
		90	@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char fname, const char access,
		91	uintptr_t ptid = &((tid_t )(iodev->state))->tid;
		92	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		93	gs_fs_list_t *fs = ctx->core->fs;
		94	+ const size_t preflen = strlen(iodev->dname);
		95	+ const size_t nlen = strlen(fname);
		96
		97	- if (gp_validate_path(mem, fname, access) != 0)
		98	+ if (preflen + nlen >= gp_file_name_sizeof)
		99	+ return_error(gs_error_invalidaccess);
		100	+
		101	+ memcpy(pname, iodev->dname, preflen);
		102	+ memcpy(pname + preflen, fname, nlen + 1);
		103	+
		104	+ if (gp_validate_path(mem, pname, access) != 0)
		105	return gs_error_invalidfileaccess;
		106
		107	/* First we try the open_printer method. */
		108	diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
		109	index f852c71fc..ba54cde66 100644
		110	--- a/base/gp_os2pr.c
		111	+++ b/base/gp_os2pr.c
		112	@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char fname, const char access,
		113	FILE ** pfile, char *rfname, uint rnamelen)
		114	{
		115	os2_printer_t pr = (os2_printer_t )iodev->state;
		116	- char driver_name[256];
		117	+ char driver_name[gp_file_name_sizeof];
		118	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		119	gs_fs_list_t *fs = ctx->core->fs;
		120	+ const size_t preflen = strlen(iodev->dname);
		121	+ const int size_t = strlen(fname);
		122	+
		123	+ if (preflen + nlen >= gp_file_name_sizeof)
		124	+ return_error(gs_error_invalidaccess);
		125	+
		126	+ memcpy(driver_name, iodev->dname, preflen);
		127	+ memcpy(driver_name + preflen, fname, nlen + 1);
		128	+
		129	+ if (gp_validate_path(mem, driver_name, access) != 0)
		130	+ return gs_error_invalidfileaccess;
		131
		132	/* First we try the open_printer method. */
		133	/* Note that the loop condition here ensures we don't
		134	diff --git a/base/gslibctx.c b/base/gslibctx.c
		135	index 6dfed6cd5..318039fad 100644
		136	--- a/base/gslibctx.c
		137	+++ b/base/gslibctx.c
		138	@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
		139	int
		140	gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
		141	{
		142	- char *fp, f[gp_file_name_sizeof];
		143	- const int pipe = 124; /* ASCII code for '\|' */
		144	- const int len = strlen(fname);
		145	- int i, code;
		146	+ char f[gp_file_name_sizeof];
		147	+ int code;
		148
		149	/* Be sure the string copy will fit */
		150	- if (len >= gp_file_name_sizeof)
		151	+ if (strlen(fname) >= gp_file_name_sizeof)
		152	return gs_error_rangecheck;
		153	strcpy(f, fname);
		154	- fp = f;
		155	/* Try to rewrite any %d (or similar) in the string */
		156	rewrite_percent_specifiers(f);
		157	- for (i = 0; i < len; i++) {
		158	- if (f[i] == pipe) {
		159	- fp = &f[i + 1];
		160	- /* Because we potentially have to check file permissions at two levels
		161	- for the output file (gx_device_open_output_file and the low level
		162	- fopen API, if we're using a pipe, we have to add both the full string,
		163	- (including the '\|', and just the command to which we pipe - since at
		164	- the pipe_fopen(), the leading '\|' has been stripped.
		165	- */
		166	- code = gs_add_control_path(mem, gs_permit_file_writing, f);
		167	- if (code < 0)
		168	- return code;
		169	- code = gs_add_control_path(mem, gs_permit_file_control, f);
		170	- if (code < 0)
		171	- return code;
		172	- break;
		173	- }
		174	- if (!IS_WHITESPACE(f[i]))
		175	- break;
		176	- }
		177	- code = gs_add_control_path(mem, gs_permit_file_control, fp);
		178	+
		179	+ code = gs_add_control_path(mem, gs_permit_file_control, f);
		180	if (code < 0)
		181	return code;
		182	- return gs_add_control_path(mem, gs_permit_file_writing, fp);
		183	+ return gs_add_control_path(mem, gs_permit_file_writing, f);
		184	}
		185
		186	int
		187	gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
		188	{
		189	- char *fp, f[gp_file_name_sizeof];
		190	- const int pipe = 124; /* ASCII code for '\|' */
		191	- const int len = strlen(fname);
		192	- int i, code;
		193	+ char f[gp_file_name_sizeof];
		194	+ int code;
		195
		196	/* Be sure the string copy will fit */
		197	- if (len >= gp_file_name_sizeof)
		198	+ if (strlen(fname) >= gp_file_name_sizeof)
		199	return gs_error_rangecheck;
		200	strcpy(f, fname);
		201	- fp = f;
		202	/* Try to rewrite any %d (or similar) in the string */
		203	- for (i = 0; i < len; i++) {
		204	- if (f[i] == pipe) {
		205	- fp = &f[i + 1];
		206	- /* Because we potentially have to check file permissions at two levels
		207	- for the output file (gx_device_open_output_file and the low level
		208	- fopen API, if we're using a pipe, we have to add both the full string,
		209	- (including the '\|', and just the command to which we pipe - since at
		210	- the pipe_fopen(), the leading '\|' has been stripped.
		211	- */
		212	- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
		213	- if (code < 0)
		214	- return code;
		215	- code = gs_remove_control_path(mem, gs_permit_file_control, f);
		216	- if (code < 0)
		217	- return code;
		218	- break;
		219	- }
		220	- if (!IS_WHITESPACE(f[i]))
		221	- break;
		222	- }
		223	- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
		224	+ rewrite_percent_specifiers(f);
		225	+
		226	+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
		227	if (code < 0)
		228	return code;
		229	- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
		230	+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
		231	}
		232
		233	int
		234	--
		235	2.25.1
		236


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb index d4442a4908..28d064a1a8 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
34	file://avoid-host-contamination.patch \	34	file://avoid-host-contamination.patch \
35	file://mkdir-p.patch \	35	file://mkdir-p.patch \
36	file://CVE-2021-45949.patch \	36	file://CVE-2021-45949.patch \
		37	file://CVE-2021-3781.patch \
37	"	38	"
38		39
39	SRC_URI = "${SRC_URI_BASE} \	40	SRC_URI = "${SRC_URI_BASE} \