1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
new file mode 100644
index 0000000000..e8c42f1deb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
@@ -0,0 +1,60 @@
+From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 14 Jun 2023 09:08:12 +0100
+Subject: [PATCH] Bug 706778: 706761 revisit
+Two problems with the original commit. The first a silly typo inverting the
+logic of a test.
+The second was forgetting that we actually actually validate two candidate
+strings for pipe devices. One with the expected "%pipe%" prefix, the other
+using the pipe character prefix: "|".
+This addresses both those.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c   | 2 +-
+ base/gslibctx.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 09ac6b3..01d449f 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 355c0e3..d8f74a3 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+-- 
+2.25.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch new file mode 100644 index 0000000000..e8c42f1deb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
@@ -0,0 +1,60 @@
	1	From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001
	2	From: Chris Liddell <chris.liddell@artifex.com>
	3	Date: Wed, 14 Jun 2023 09:08:12 +0100
	4	Subject: [PATCH] Bug 706778: 706761 revisit
	5
	6	Two problems with the original commit. The first a silly typo inverting the
	7	logic of a test.
	8
	9	The second was forgetting that we actually actually validate two candidate
	10	strings for pipe devices. One with the expected "%pipe%" prefix, the other
	11	using the pipe character prefix: "\|".
	12
	13	This addresses both those.
	14
	15	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099]
	16	CVE: CVE-2023-36664
	17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	18	---
	19	base/gpmisc.c \| 2 +-
	20	base/gslibctx.c \| 4 ++--
	21	2 files changed, 3 insertions(+), 3 deletions(-)
	22
	23	diff --git a/base/gpmisc.c b/base/gpmisc.c
	24	index 09ac6b3..01d449f 100644
	25	--- a/base/gpmisc.c
	26	+++ b/base/gpmisc.c
	27	@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem,
	28	/* "%pipe%" do not follow the normal rules for path definitions, so we
	29	don't "reduce" them to avoid unexpected results
	30	*/
	31	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
	32	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
	33	bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
	34	if (buffer == NULL)
	35	return gs_error_VMerror;
	36	diff --git a/base/gslibctx.c b/base/gslibctx.c
	37	index 355c0e3..d8f74a3 100644
	38	--- a/base/gslibctx.c
	39	+++ b/base/gslibctx.c
	40	@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
	41	/* "%pipe%" do not follow the normal rules for path definitions, so we
	42	don't "reduce" them to avoid unexpected results
	43	*/
	44	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
	45	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
	46	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
	47	if (buffer == NULL)
	48	return gs_error_VMerror;
	49	@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
	50	/* "%pipe%" do not follow the normal rules for path definitions, so we
	51	don't "reduce" them to avoid unexpected results
	52	*/
	53	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
	54	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
	55	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
	56	if (buffer == NULL)
	57	return gs_error_VMerror;
	58	--
	59	2.25.1
	60