diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-05-30 16:00:47 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-06-13 04:00:11 -1000 |
commit | 34d7cb536a6a653f88b293f4591f23c38dd9dcd3 (patch) | |
tree | 48c4c21445f61374eb5521287d6f8ebcccbff375 /meta/recipes-extended/ghostscript | |
parent | f51b7f407d9dcb55f641003d6bdfa746b00100b8 (diff) | |
download | poky-34d7cb536a6a653f88b293f4591f23c38dd9dcd3.tar.gz |
ghostscript: Fix CVE-2023-28879
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179]
(From OE-Core rev: ec0c6f941826903b763be76c450f1d4e0e67908e)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-extended/ghostscript')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch | 54 | ||||
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_9.52.bb | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch new file mode 100644 index 0000000000..852f2459f7 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Fri, 24 Mar 2023 13:19:57 +0000 | ||
4 | Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding | ||
5 | |||
6 | Bug #706494 "Buffer Overflow in s_xBCPE_process" | ||
7 | |||
8 | As described in detail in the bug report, if the write buffer is filled | ||
9 | to one byte less than full, and we then try to write an escaped | ||
10 | character, we overrun the buffer because we don't check before | ||
11 | writing two bytes to it. | ||
12 | |||
13 | This just checks if we have two bytes before starting to write an | ||
14 | escaped character and exits if we don't (replacing the consumed byte | ||
15 | of the input). | ||
16 | |||
17 | Up for further discussion; why do we even permit a BCP encoding filter | ||
18 | anyway ? I think we should remove this, at least when SAFER is true. | ||
19 | |||
20 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179] | ||
21 | CVE: CVE-2023-28879 | ||
22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
23 | --- | ||
24 | base/sbcp.c | 10 +++++++++- | ||
25 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/base/sbcp.c b/base/sbcp.c | ||
28 | index 6b0383c..90784b5 100644 | ||
29 | --- a/base/sbcp.c | ||
30 | +++ b/base/sbcp.c | ||
31 | @@ -1,4 +1,4 @@ | ||
32 | -/* Copyright (C) 2001-2019 Artifex Software, Inc. | ||
33 | +/* Copyright (C) 2001-2023 Artifex Software, Inc. | ||
34 | All Rights Reserved. | ||
35 | |||
36 | This software is provided AS-IS with no warranty, either express or | ||
37 | @@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, | ||
38 | byte ch = *++p; | ||
39 | |||
40 | if (ch <= 31 && escaped[ch]) { | ||
41 | + /* Make sure we have space to store two characters in the write buffer, | ||
42 | + * if we don't then exit without consuming the input character, we'll process | ||
43 | + * that on the next time round. | ||
44 | + */ | ||
45 | + if (pw->limit - q < 2) { | ||
46 | + p--; | ||
47 | + break; | ||
48 | + } | ||
49 | if (p == rlimit) { | ||
50 | p--; | ||
51 | break; | ||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index a829d4b4ae..57f0b51ad3 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb | |||
@@ -39,6 +39,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
39 | file://CVE-2021-3781_1.patch \ | 39 | file://CVE-2021-3781_1.patch \ |
40 | file://CVE-2021-3781_2.patch \ | 40 | file://CVE-2021-3781_2.patch \ |
41 | file://CVE-2021-3781_3.patch \ | 41 | file://CVE-2021-3781_3.patch \ |
42 | file://CVE-2023-28879.patch \ | ||
42 | " | 43 | " |
43 | 44 | ||
44 | SRC_URI = "${SRC_URI_BASE} \ | 45 | SRC_URI = "${SRC_URI_BASE} \ |