diff options
| author | Peter Marko <peter.marko@siemens.com> | 2025-10-08 00:11:11 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-10-13 12:42:58 -0700 |
| commit | 0db5ae637d40158d7b2ed0c737cb65737fb26f33 (patch) | |
| tree | 91cf68bddc8a53dcadf6a100bcf09da20fc71146 | |
| parent | 7698e2910dcada48bfee4fdb6edd2371f9e855de (diff) | |
| download | poky-0db5ae637d40158d7b2ed0c737cb65737fb26f33.tar.gz | |
ghostscript: patch CVE-2025-59799
Pick commit mentioned in the NVD report.
(From OE-Core rev: 2f1d5b9ad1af6d2b28e9e7b46aadd879a67b8fc6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch | 41 | ||||
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb | 1 |
2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch new file mode 100644 index 0000000000..9401474c47 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Piotr Kajda <petermasterperfect@gmail.com> | ||
| 3 | Date: Thu, 8 May 2025 11:37:09 +0100 | ||
| 4 | Subject: [PATCH] pdfwrite - bounds check some strings | ||
| 5 | |||
| 6 | Bug #708517 | ||
| 7 | |||
| 8 | This differs very slightly from the proposed patch in the bug report, I | ||
| 9 | had a quick scout through the C file and found another similar case. | ||
| 10 | |||
| 11 | Both fixed here. | ||
| 12 | |||
| 13 | CVE: CVE-2025-59799 | ||
| 14 | Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/6dab38fb211f15226c242ab7a83fa53e4b0ff781] | ||
| 15 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 16 | --- | ||
| 17 | devices/vector/gdevpdfm.c | 4 ++++ | ||
| 18 | 1 file changed, 4 insertions(+) | ||
| 19 | |||
| 20 | diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c | ||
| 21 | index 5aa3644e2..4b1d7d89c 100644 | ||
| 22 | --- a/devices/vector/gdevpdfm.c | ||
| 23 | +++ b/devices/vector/gdevpdfm.c | ||
| 24 | @@ -199,6 +199,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING]) | ||
| 25 | { | ||
| 26 | const byte *data = dstr->data; | ||
| 27 | uint size = dstr->size; | ||
| 28 | + if (size > MAX_DEST_STRING) | ||
| 29 | + return_error(gs_error_limitcheck); | ||
| 30 | if (size == 0 || data[0] != '(') | ||
| 31 | return 0; | ||
| 32 | /****** HANDLE ESCAPES ******/ | ||
| 33 | @@ -859,6 +861,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd, | ||
| 34 | char buf[30]; | ||
| 35 | int d0, d1; | ||
| 36 | |||
| 37 | + if (Action[1].size > 29) | ||
| 38 | + return_error(gs_error_rangecheck); | ||
| 39 | memcpy(buf, Action[1].data, Action[1].size); | ||
| 40 | buf[Action[1].size] = 0; | ||
| 41 | if (sscanf(buf, "%d %d R", &d0, &d1) == 2) | ||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb index 0ae939e780..0f123d4899 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb | |||
| @@ -26,6 +26,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo | |||
| 26 | file://ghostscript-9.16-Werror-return-type.patch \ | 26 | file://ghostscript-9.16-Werror-return-type.patch \ |
| 27 | file://avoid-host-contamination.patch \ | 27 | file://avoid-host-contamination.patch \ |
| 28 | file://CVE-2025-59798.patch \ | 28 | file://CVE-2025-59798.patch \ |
| 29 | file://CVE-2025-59799.patch \ | ||
| 29 | " | 30 | " |
| 30 | 31 | ||
| 31 | SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49" | 32 | SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49" |