ghostscript: patch CVE-2025-59798

Pick commit mentioned in the NVD report. (From OE-Core rev: 4a2f47d9541d7a13da7a9ce16bd5088870c45ec4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-10-08 00:11:10 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-10-13 12:42:58 -0700
commit: 7698e2910dcada48bfee4fdb6edd2371f9e855de (patch)
tree: 2f8c2df0cd90425d00e363c8ac5bc14fe96c21ee
parent: 8a80300d0f66a0c4062eafd8256d74cf4ecb5798 (diff)
download: poky-7698e2910dcada48bfee4fdb6edd2371f9e855de.tar.gz
2 files changed, 135 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch
new file mode 100644
index 0000000000..9432126e85
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch
@@ -0,0 +1,134 @@
+From 0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 22 May 2025 12:25:41 +0100
+Subject: [PATCH] pdfwrite - avoid buffer overrun
+Bug #708539 "Buffer overflow in pdf_write_cmap"
+The proposed fix in the report solves the buffer overrun, but does not
+tackle a number of other problems.
+This commit checks the result of stream_puts() in
+pdf_write_cid_system_info_to_stream() and correctly signals an error to
+the caller if that fails.
+In pdf_write_cid_system_info we replace a (rather small!) fixed size
+buffer with a dynamically allocated one using the lengths of the strings
+which pdf_write_cid_system_info_to_stream() will write, and a small
+fixed overhead to deal with the keys and initial byte '/'.
+Because 'buf' is used in the stream 's', if it is too small to hold all
+the CIDSystemInfo then we would get an error which was simply discarded
+previously.
+We now should avoid the potential error by ensuring the buffer is large
+enough for all the information, and if we do get an error we no longer
+silently ignore it, which would write an invalid PDF file.
+CVE: CVE-2025-59798
+Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/0cae41b23a9669e801211dd4cf97b6dadd6dbdd7]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ devices/vector/gdevpdtw.c | 52 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 41 insertions(+), 11 deletions(-)
+diff --git a/devices/vector/gdevpdtw.c b/devices/vector/gdevpdtw.c
+index ced15c9b2..fe24dd73a 100644
+--- a/devices/vector/gdevpdtw.c
+++ b/devices/vector/gdevpdtw.c
+@@ -703,7 +703,8 @@ static int
+ pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s,
+                           const gs_cid_system_info_t *pcidsi, gs_id object_id)
+ {
+-    byte *Registry, *Ordering;
+    byte *Registry = NULL, *Ordering = NULL;
+    int code = 0;
+ 
+     Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry");
+     if (!Registry)
+@@ -734,14 +735,19 @@ pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s,
+         }
+         s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size);
+     }
+-    stream_puts(s, "<<\n/Registry");
+    code = stream_puts(s, "<<\n/Registry");
+    if (code < 0)
+        goto error;
+     s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK);
+-    stream_puts(s, "\n/Ordering");
+    code = stream_puts(s, "\n/Ordering");
+    if(code < 0)
+        goto error;
+     s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK);
+error:
+     pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement);
+     gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer");
+     gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer");
+-    return 0;
+    return code;
+ }
+ 
+ int
+@@ -786,31 +792,55 @@ pdf_write_cmap(gx_device_pdf *pdev, const gs_cmap_t *pcmap,
+     *ppres = writer.pres;
+     writer.pres->where_used = 0; /* CMap isn't a PDF resource. */
+     if (!pcmap->ToUnicode) {
+-        byte buf[200];
+        byte *buf = NULL;
+        uint64_t buflen = 0;
+         cos_dict_t *pcd = (cos_dict_t *)writer.pres->object;
+         stream s;
+ 
+        /* We use 'buf' for the stream 's' below and that needs to have some extra
+         * space for the CIDSystemInfo. We also need an extra byte for the leading '/'
+         * 100 bytes is ample for the overhead.
+         */
+        buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100;
+        if (buflen > max_uint)
+            return_error(gs_error_limitcheck);
+
+        buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap");
+        if (buf == NULL)
+            return_error(gs_error_VMerror);
+
+         code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode);
+-        if (code < 0)
+        if (code < 0) {
+            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
+        }
+         buf[0] = '/';
+         memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size);
+         code = cos_dict_put_c_key_string(pcd, "/CMapName",
+                         buf, pcmap->CMapName.size + 1);
+-        if (code < 0)
+        if (code < 0) {
+            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
+        }
+         s_init(&s, pdev->memory);
+-        swrite_string(&s, buf, sizeof(buf));
+        swrite_string(&s, buf, buflen);
+         code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0);
+-        if (code < 0)
+        if (code < 0) {
+            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
+        }
+         code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo",
+                         buf, stell(&s));
+-        if (code < 0)
+        if (code < 0) {
+            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
+        }
+         code = cos_dict_put_string_copy(pcd, "/Type", "/CMap");
+-        if (code < 0)
+        if (code < 0) {
+            gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+             return code;
+        }
+        gs_free_object(pdev->memory, buf, "pdf_write_cmap");
+     }
+     if (pcmap->CMapName.size == 0) {
+         /* Create an arbitrary name (for ToUnicode CMap). */
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
index bd34058517..0ae939e780 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -25,6 +25,7 @@ def gs_verdir(v):
 SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \
           file://ghostscript-9.16-Werror-return-type.patch \
           file://avoid-host-contamination.patch \
+           file://CVE-2025-59798.patch \
           "
 SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"
author	Peter Marko <peter.marko@siemens.com>	2025-10-08 00:11:10 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-10-13 12:42:58 -0700
commit	7698e2910dcada48bfee4fdb6edd2371f9e855de (patch)
tree	2f8c2df0cd90425d00e363c8ac5bc14fe96c21ee
parent	8a80300d0f66a0c4062eafd8256d74cf4ecb5798 (diff)
download	poky-7698e2910dcada48bfee4fdb6edd2371f9e855de.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch new file mode 100644 index 0000000000..9432126e85 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch
@@ -0,0 +1,134 @@
		1	From 0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Thu, 22 May 2025 12:25:41 +0100
		4	Subject: [PATCH] pdfwrite - avoid buffer overrun
		5
		6	Bug #708539 "Buffer overflow in pdf_write_cmap"
		7
		8	The proposed fix in the report solves the buffer overrun, but does not
		9	tackle a number of other problems.
		10
		11	This commit checks the result of stream_puts() in
		12	pdf_write_cid_system_info_to_stream() and correctly signals an error to
		13	the caller if that fails.
		14
		15	In pdf_write_cid_system_info we replace a (rather small!) fixed size
		16	buffer with a dynamically allocated one using the lengths of the strings
		17	which pdf_write_cid_system_info_to_stream() will write, and a small
		18	fixed overhead to deal with the keys and initial byte '/'.
		19
		20	Because 'buf' is used in the stream 's', if it is too small to hold all
		21	the CIDSystemInfo then we would get an error which was simply discarded
		22	previously.
		23
		24	We now should avoid the potential error by ensuring the buffer is large
		25	enough for all the information, and if we do get an error we no longer
		26	silently ignore it, which would write an invalid PDF file.
		27
		28	CVE: CVE-2025-59798
		29	Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/0cae41b23a9669e801211dd4cf97b6dadd6dbdd7]
		30	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		31	---
		32	devices/vector/gdevpdtw.c \| 52 ++++++++++++++++++++++++++++++---------
		33	1 file changed, 41 insertions(+), 11 deletions(-)
		34
		35	diff --git a/devices/vector/gdevpdtw.c b/devices/vector/gdevpdtw.c
		36	index ced15c9b2..fe24dd73a 100644
		37	--- a/devices/vector/gdevpdtw.c
		38	+++ b/devices/vector/gdevpdtw.c
		39	@@ -703,7 +703,8 @@ static int
		40	pdf_write_cid_system_info_to_stream(gx_device_pdf pdev, stream s,
		41	const gs_cid_system_info_t *pcidsi, gs_id object_id)
		42	{
		43	- byte Registry, Ordering;
		44	+ byte Registry = NULL, Ordering = NULL;
		45	+ int code = 0;
		46
		47	Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry");
		48	if (!Registry)
		49	@@ -734,14 +735,19 @@ pdf_write_cid_system_info_to_stream(gx_device_pdf pdev, stream s,
		50	}
		51	s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size);
		52	}
		53	- stream_puts(s, "<<\n/Registry");
		54	+ code = stream_puts(s, "<<\n/Registry");
		55	+ if (code < 0)
		56	+ goto error;
		57	s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK);
		58	- stream_puts(s, "\n/Ordering");
		59	+ code = stream_puts(s, "\n/Ordering");
		60	+ if(code < 0)
		61	+ goto error;
		62	s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK);
		63	+error:
		64	pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement);
		65	gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer");
		66	gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer");
		67	- return 0;
		68	+ return code;
		69	}
		70
		71	int
		72	@@ -786,31 +792,55 @@ pdf_write_cmap(gx_device_pdf pdev, const gs_cmap_t pcmap,
		73	*ppres = writer.pres;
		74	writer.pres->where_used = 0; /* CMap isn't a PDF resource. */
		75	if (!pcmap->ToUnicode) {
		76	- byte buf[200];
		77	+ byte *buf = NULL;
		78	+ uint64_t buflen = 0;
		79	cos_dict_t pcd = (cos_dict_t )writer.pres->object;
		80	stream s;
		81
		82	+ /* We use 'buf' for the stream 's' below and that needs to have some extra
		83	+ * space for the CIDSystemInfo. We also need an extra byte for the leading '/'
		84	+ * 100 bytes is ample for the overhead.
		85	+ */
		86	+ buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100;
		87	+ if (buflen > max_uint)
		88	+ return_error(gs_error_limitcheck);
		89	+
		90	+ buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap");
		91	+ if (buf == NULL)
		92	+ return_error(gs_error_VMerror);
		93	+
		94	code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode);
		95	- if (code < 0)
		96	+ if (code < 0) {
		97	+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
		98	return code;
		99	+ }
		100	buf[0] = '/';
		101	memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size);
		102	code = cos_dict_put_c_key_string(pcd, "/CMapName",
		103	buf, pcmap->CMapName.size + 1);
		104	- if (code < 0)
		105	+ if (code < 0) {
		106	+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
		107	return code;
		108	+ }
		109	s_init(&s, pdev->memory);
		110	- swrite_string(&s, buf, sizeof(buf));
		111	+ swrite_string(&s, buf, buflen);
		112	code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0);
		113	- if (code < 0)
		114	+ if (code < 0) {
		115	+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
		116	return code;
		117	+ }
		118	code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo",
		119	buf, stell(&s));
		120	- if (code < 0)
		121	+ if (code < 0) {
		122	+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
		123	return code;
		124	+ }
		125	code = cos_dict_put_string_copy(pcd, "/Type", "/CMap");
		126	- if (code < 0)
		127	+ if (code < 0) {
		128	+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
		129	return code;
		130	+ }
		131	+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
		132	}
		133	if (pcmap->CMapName.size == 0) {
		134	/* Create an arbitrary name (for ToUnicode CMap). */


diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb index bd34058517..0ae939e780 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -25,6 +25,7 @@ def gs_verdir(v):
25	SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \	25	SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \
26	file://ghostscript-9.16-Werror-return-type.patch \	26	file://ghostscript-9.16-Werror-return-type.patch \
27	file://avoid-host-contamination.patch \	27	file://avoid-host-contamination.patch \
		28	file://CVE-2025-59798.patch \
28	"	29	"
29		30
30	SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"	31	SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"