summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/ghostscript
diff options
context:
space:
mode:
authorJoe Slater <joe.slater@windriver.com>2023-04-24 10:34:32 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2023-05-05 11:07:25 +0100
commitf91783635446e5bc391235272444d6dcb268a034 (patch)
tree3bba4f7a907d23118b07f0f862482fdb91930363 /meta/recipes-extended/ghostscript
parentc7ede907d9d6e0493b4af3cec763aa7d37f6704a (diff)
downloadpoky-f91783635446e5bc391235272444d6dcb268a034.tar.gz
ghostscript: fix CVE-2023-28879
Backport from tag ghostpdl-10.01.1-gse-10174 which is after 10.01.1. (From OE-Core rev: 8a70d6935afa38173dbf012b8e1c3d59228504df) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/ghostscript')
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch60
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb1
2 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch
new file mode 100644
index 0000000000..604b927521
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch
@@ -0,0 +1,60 @@
1From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Fri, 24 Mar 2023 13:19:57 +0000
4Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
5
6Bug #706494 "Buffer Overflow in s_xBCPE_process"
7
8As described in detail in the bug report, if the write buffer is filled
9to one byte less than full, and we then try to write an escaped
10character, we overrun the buffer because we don't check before
11writing two bytes to it.
12
13This just checks if we have two bytes before starting to write an
14escaped character and exits if we don't (replacing the consumed byte
15of the input).
16
17Up for further discussion; why do we even permit a BCP encoding filter
18anyway ? I think we should remove this, at least when SAFER is true.
19---
20CVE: CVE-2023-28879
21
22Upstream-Status: Backport [see text]
23
24git://git.ghostscript.com/ghostpdl
25cherry-pick
26
27Signed-off-by: Joe Slater <joe.slater@windriver.com.
28
29---
30 base/sbcp.c | 10 +++++++++-
31 1 file changed, 9 insertions(+), 1 deletion(-)
32
33diff --git a/base/sbcp.c b/base/sbcp.c
34index 979ae0992..47fc233ec 100644
35--- a/base/sbcp.c
36+++ b/base/sbcp.c
37@@ -1,4 +1,4 @@
38-/* Copyright (C) 2001-2021 Artifex Software, Inc.
39+/* Copyright (C) 2001-2023 Artifex Software, Inc.
40 All Rights Reserved.
41
42 This software is provided AS-IS with no warranty, either express or
43@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
44 byte ch = *++p;
45
46 if (ch <= 31 && escaped[ch]) {
47+ /* Make sure we have space to store two characters in the write buffer,
48+ * if we don't then exit without consuming the input character, we'll process
49+ * that on the next time round.
50+ */
51+ if (pw->limit - q < 2) {
52+ p--;
53+ break;
54+ }
55 if (p == rlimit) {
56 p--;
57 break;
58--
592.25.1
60
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
index 56a93632e2..86ecdbe24a 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
34 file://avoid-host-contamination.patch \ 34 file://avoid-host-contamination.patch \
35 file://mkdir-p.patch \ 35 file://mkdir-p.patch \
36 file://cross-compile.patch \ 36 file://cross-compile.patch \
37 file://cve-2023-28879.patch \
37" 38"
38 39
39SRC_URI = "${SRC_URI_BASE} \ 40SRC_URI = "${SRC_URI_BASE} \