From 6ec51d096ecd45a713cb4ca71ee70930a40749e7 Mon Sep 17 00:00:00 2001 From: Lee Chee Yang Date: Thu, 6 Aug 2020 17:46:17 +0800 Subject: ghostscript: fix CVE-2020-15900 (From OE-Core rev: d70012e8971a4762ea402c3c843938640b9ab9fc) Signed-off-by: Lee Chee Yang Signed-off-by: Richard Purdie --- .../ghostscript/ghostscript/CVE-2020-15900.patch | 54 ++++++++++++++++++++++ .../ghostscript/ghostscript_9.52.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch new file mode 100644 index 0000000000..d7c5f034e5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch @@ -0,0 +1,54 @@ +From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001 +From: Ray Johnston +Date: Wed, 22 Jul 2020 09:57:54 -0700 +Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript + 9.52 + +Fix the 'rsearch' calculation for the 'post' size to give the correct +size. Previous calculation would result in a size that was too large, +and could underflow to max uint32_t. Also fix 'rsearch' to return the +correct 'pre' string with empty string match. + +A future change may 'undefine' this undocumented, non-standard operator +during initialization as we do with the many other non-standard internal +PostScript operators and procedures. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b] +CVE: CVE-2020-15900 +Signed-off-by: Chee Yang Lee +--- + psi/zstring.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/psi/zstring.c b/psi/zstring.c +index 33662dafa..58e1af2b3 100644 +--- a/psi/zstring.c ++++ b/psi/zstring.c +@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) + return 0; + found: + op->tas.type_attrs = op1->tas.type_attrs; +- op->value.bytes = ptr; +- r_set_size(op, size); ++ op->value.bytes = ptr; /* match */ ++ op->tas.rsize = size; /* match */ + push(2); +- op[-1] = *op1; +- r_set_size(op - 1, ptr - op[-1].value.bytes); +- op1->value.bytes = ptr + size; +- r_set_size(op1, count + (!forward ? (size - 1) : 0)); ++ op[-1] = *op1; /* pre */ ++ op[-3].value.bytes = ptr + size; /* post */ ++ if (forward) { ++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ ++ op[-3].tas.rsize = count; /* post */ ++ } else { ++ op[-1].tas.rsize = count; /* pre */ ++ op[-3].tas.rsize -= count + size; /* post */ ++ } + make_true(op); + return 0; + } +-- +2.17.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 4cdb6e00d8..65135f5821 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb @@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d SRC_URI = "${SRC_URI_BASE} \ file://ghostscript-9.21-prevent_recompiling.patch \ file://cups-no-gcrypt.patch \ + file://CVE-2020-15900.patch \ " SRC_URI_class-native = "${SRC_URI_BASE} \ -- cgit v1.2.3-54-g00ecf