ghostscript: fix CVE-2024-29506

(From OE-Core rev: 68a6482244532e61bc467e1ef23661260bac8572) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-08-08 11:05:43 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-08-16 08:09:14 -0700
commit: 5c036f07cc71c472be72f63d085b6a65afc5ce81 (patch)
tree: ae9ca31be906af8967a6c0488c559832ba581f5e
parent: 52cfc786965eb818cb23846d24d827627cbdd4e6 (diff)
download: poky-5c036f07cc71c472be72f63d085b6a65afc5ce81.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29506.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29506.patch
new file mode 100644
index 0000000000..9f3f3e5da2
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29506.patch
@@ -0,0 +1,45 @@
+From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 25 Jan 2024 11:55:49 +0000
+Subject: [PATCH] Bug 707510 - don't allow PDF files with bad Filters to
+ overflow the debug buffer
+Item #2 of the report.
+Allocate a buffer to hold the filter name, instead of assuming it will
+fit in a fixed buffer.
+Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like
+this.
+CVE: CVE-2024-29506
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=77dc7f699beba606937b7ea23b50cf5974fa64b1]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ pdf/pdf_file.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c
+index 214d448..93c2402 100644
+--- a/pdf/pdf_file.c
+++ b/pdf/pdf_file.c
+@@ -767,10 +767,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_
+     if (ctx->args.pdfdebug)
+     {
+-        char str[100];
+       char *str;
+        str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug");
+        if (str == NULL)
+            return_error(gs_error_VMerror);
+         memcpy(str, (const char *)n->data, n->length);
+         str[n->length] = '\0';
+         dmprintf1(ctx->memory, "FILTER NAME:%s\n", str);
+       gs_free_object(ctx->memory, str, "temp string for debug");
+     }
+     if (pdfi_name_is(n, "RunLengthDecode")) {
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index f738b0133f..525086e2af 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -53,6 +53,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2024-29511-0001.patch \
                file://CVE-2024-29511-0002.patch \
                file://CVE-2024-29509.patch \
+                file://CVE-2024-29506.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-08-08 11:05:43 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-08-16 08:09:14 -0700
commit	5c036f07cc71c472be72f63d085b6a65afc5ce81 (patch)
tree	ae9ca31be906af8967a6c0488c559832ba581f5e
parent	52cfc786965eb818cb23846d24d827627cbdd4e6 (diff)
download	poky-5c036f07cc71c472be72f63d085b6a65afc5ce81.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29506.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29506.patch new file mode 100644 index 0000000000..9f3f3e5da2 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29506.patch
@@ -0,0 +1,45 @@
		1	From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Thu, 25 Jan 2024 11:55:49 +0000
		4	Subject: [PATCH] Bug 707510 - don't allow PDF files with bad Filters to
		5	overflow the debug buffer
		6
		7	Item #2 of the report.
		8
		9	Allocate a buffer to hold the filter name, instead of assuming it will
		10	fit in a fixed buffer.
		11
		12	Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like
		13	this.
		14
		15	CVE: CVE-2024-29506
		16
		17	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=77dc7f699beba606937b7ea23b50cf5974fa64b1]
		18
		19	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		20	---
		21	pdf/pdf_file.c \| 6 +++++-
		22	1 file changed, 5 insertions(+), 1 deletion(-)
		23
		24	diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c
		25	index 214d448..93c2402 100644
		26	--- a/pdf/pdf_file.c
		27	+++ b/pdf/pdf_file.c
		28	@@ -767,10 +767,14 @@ static int pdfi_apply_filter(pdf_context ctx, pdf_dict dict, pdf_name *n, pdf_
		29
		30	if (ctx->args.pdfdebug)
		31	{
		32	- char str[100];
		33	+ char *str;
		34	+ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug");
		35	+ if (str == NULL)
		36	+ return_error(gs_error_VMerror);
		37	memcpy(str, (const char *)n->data, n->length);
		38	str[n->length] = '\0';
		39	dmprintf1(ctx->memory, "FILTER NAME:%s\n", str);
		40	+ gs_free_object(ctx->memory, str, "temp string for debug");
		41	}
		42
		43	if (pdfi_name_is(n, "RunLengthDecode")) {
		44	--
		45	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index f738b0133f..525086e2af 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -53,6 +53,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
53	file://CVE-2024-29511-0001.patch \	53	file://CVE-2024-29511-0001.patch \
54	file://CVE-2024-29511-0002.patch \	54	file://CVE-2024-29511-0002.patch \
55	file://CVE-2024-29509.patch \	55	file://CVE-2024-29509.patch \
		56	file://CVE-2024-29506.patch \
56	"	57	"
57		58
58	SRC_URI = "${SRC_URI_BASE} \	59	SRC_URI = "${SRC_URI_BASE} \