diff options
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch new file mode 100644 index 0000000000..e8c42f1deb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 14 Jun 2023 09:08:12 +0100 | ||
4 | Subject: [PATCH] Bug 706778: 706761 revisit | ||
5 | |||
6 | Two problems with the original commit. The first a silly typo inverting the | ||
7 | logic of a test. | ||
8 | |||
9 | The second was forgetting that we actually actually validate two candidate | ||
10 | strings for pipe devices. One with the expected "%pipe%" prefix, the other | ||
11 | using the pipe character prefix: "|". | ||
12 | |||
13 | This addresses both those. | ||
14 | |||
15 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099] | ||
16 | CVE: CVE-2023-36664 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | base/gpmisc.c | 2 +- | ||
20 | base/gslibctx.c | 4 ++-- | ||
21 | 2 files changed, 3 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/base/gpmisc.c b/base/gpmisc.c | ||
24 | index 09ac6b3..01d449f 100644 | ||
25 | --- a/base/gpmisc.c | ||
26 | +++ b/base/gpmisc.c | ||
27 | @@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem, | ||
28 | /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
29 | don't "reduce" them to avoid unexpected results | ||
30 | */ | ||
31 | - if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
32 | + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { | ||
33 | bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); | ||
34 | if (buffer == NULL) | ||
35 | return gs_error_VMerror; | ||
36 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
37 | index 355c0e3..d8f74a3 100644 | ||
38 | --- a/base/gslibctx.c | ||
39 | +++ b/base/gslibctx.c | ||
40 | @@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch | ||
41 | /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
42 | don't "reduce" them to avoid unexpected results | ||
43 | */ | ||
44 | - if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
45 | + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { | ||
46 | buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); | ||
47 | if (buffer == NULL) | ||
48 | return gs_error_VMerror; | ||
49 | @@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const | ||
50 | /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
51 | don't "reduce" them to avoid unexpected results | ||
52 | */ | ||
53 | - if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
54 | + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { | ||
55 | buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); | ||
56 | if (buffer == NULL) | ||
57 | return gs_error_VMerror; | ||
58 | -- | ||
59 | 2.25.1 | ||
60 | |||