ghostscript: fix CVE-2024-33869

(From OE-Core rev: fb0271a2d4e847764816b673aa37ea03ee4b3325) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-05-29 05:41:17 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-06-01 19:07:52 -0700
commit: acf74d711308c280d014cff8af7fe1f62dada737 (patch)
tree: e83cb192049828762c7da59c21be5c5e67252b4e
parent: f60be736e6952838cd4fcb5c7aa9eed13d27305e (diff)
download: poky-acf74d711308c280d014cff8af7fe1f62dada737.tar.gz
3 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
new file mode 100644
index 0000000000..2e60ae6048
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
@@ -0,0 +1,39 @@
+From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 26 Mar 2024 12:02:57 +0000
+Subject: [PATCH 2/5] Bug #707691
+Part 1; when stripping a potential Current Working Dirctory specifier
+from a path, make certain it really is a CWD, and not simply large
+ebough to be a CWD.
+Reasons are in the bug thread, this is not (IMO) serious.
+This is part of the fix for CVE-2024-33869
+CVE: CVE-2024-33869
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gpmisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 3b6fffa..a0b58c8 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1162,8 +1162,8 @@ gp_validate_path_len(const gs_memory_t *mem,
+             continue;
+         }
+-        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
+-            buffer = bufferfull + cdirstrl + dirsepstrl;
+        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+            && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
+             continue;
+         }
+         break;
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
new file mode 100644
index 0000000000..5ba038a0e7
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
@@ -0,0 +1,52 @@
+From f5336e5b4154f515ac83bc5b9eba94302e6618d4 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 26 Mar 2024 12:07:18 +0000
+Subject: [PATCH 3/5] Bug 707691 part 2
+See bug thread for details
+This is the second part of the fix for CVE-2024-33869
+CVE: CVE-2024-33869
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gpmisc.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index a0b58c8..69bee47 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem,
+         rlen = len;
+     }
+     else {
+        char *test = (char *)path, *test1;
+        uint tlen = len, slen;
+
+        /* Look for any pipe (%pipe% or '|' specifications between path separators
+         * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
+         */
+        while (tlen > 0) {
+            if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
+                code = gs_note_error(gs_error_invalidfileaccess);
+                goto exit;
+            }
+            test1 = test;
+            slen = search_separator((const char **)&test, path + len, test1, 1);
+            if(slen == 0)
+                break;
+            test += slen;
+            tlen -= test - test1;
+            if (test >= path + len)
+                break;
+        }
+
+         rlen = len+1;
+         bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+         if (bufferfull == NULL)
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 5fa4da0fb8..083ee4b337 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -44,6 +44,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2023-43115.patch \
                file://CVE-2023-46751.patch \
                file://CVE-2024-33870.patch \
+                file://CVE-2024-33869-0001.patch \
+                file://CVE-2024-33869-0002.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-05-29 05:41:17 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-06-01 19:07:52 -0700
commit	acf74d711308c280d014cff8af7fe1f62dada737 (patch)
tree	e83cb192049828762c7da59c21be5c5e67252b4e
parent	f60be736e6952838cd4fcb5c7aa9eed13d27305e (diff)
download	poky-acf74d711308c280d014cff8af7fe1f62dada737.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch new file mode 100644 index 0000000000..2e60ae6048 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
@@ -0,0 +1,39 @@
		1	From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Tue, 26 Mar 2024 12:02:57 +0000
		4	Subject: [PATCH 2/5] Bug #707691
		5
		6	Part 1; when stripping a potential Current Working Dirctory specifier
		7	from a path, make certain it really is a CWD, and not simply large
		8	ebough to be a CWD.
		9
		10	Reasons are in the bug thread, this is not (IMO) serious.
		11
		12	This is part of the fix for CVE-2024-33869
		13
		14	CVE: CVE-2024-33869
		15
		16	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973]
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	base/gpmisc.c \| 4 ++--
		21	1 file changed, 2 insertions(+), 2 deletions(-)
		22
		23	diff --git a/base/gpmisc.c b/base/gpmisc.c
		24	index 3b6fffa..a0b58c8 100644
		25	--- a/base/gpmisc.c
		26	+++ b/base/gpmisc.c
		27	@@ -1162,8 +1162,8 @@ gp_validate_path_len(const gs_memory_t *mem,
		28
		29	continue;
		30	}
		31	- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
		32	- buffer = bufferfull + cdirstrl + dirsepstrl;
		33	+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
		34	+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
		35	continue;
		36	}
		37	break;
		38	--
		39	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch new file mode 100644 index 0000000000..5ba038a0e7 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
@@ -0,0 +1,52 @@
		1	From f5336e5b4154f515ac83bc5b9eba94302e6618d4 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Tue, 26 Mar 2024 12:07:18 +0000
		4	Subject: [PATCH 3/5] Bug 707691 part 2
		5
		6	See bug thread for details
		7
		8	This is the second part of the fix for CVE-2024-33869
		9
		10	CVE: CVE-2024-33869
		11
		12	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83]
		13
		14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		15	---
		16	base/gpmisc.c \| 21 +++++++++++++++++++++
		17	1 file changed, 21 insertions(+)
		18
		19	diff --git a/base/gpmisc.c b/base/gpmisc.c
		20	index a0b58c8..69bee47 100644
		21	--- a/base/gpmisc.c
		22	+++ b/base/gpmisc.c
		23	@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem,
		24	rlen = len;
		25	}
		26	else {
		27	+ char test = (char )path, *test1;
		28	+ uint tlen = len, slen;
		29	+
		30	+ /* Look for any pipe (%pipe% or '\|' specifications between path separators
		31	+ * Reject any path spec which has a %pipe% or '\|' anywhere except at the start.
		32	+ */
		33	+ while (tlen > 0) {
		34	+ if (test[0] == '\|' \|\| (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
		35	+ code = gs_note_error(gs_error_invalidfileaccess);
		36	+ goto exit;
		37	+ }
		38	+ test1 = test;
		39	+ slen = search_separator((const char **)&test, path + len, test1, 1);
		40	+ if(slen == 0)
		41	+ break;
		42	+ test += slen;
		43	+ tlen -= test - test1;
		44	+ if (test >= path + len)
		45	+ break;
		46	+ }
		47	+
		48	rlen = len+1;
		49	bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
		50	if (bufferfull == NULL)
		51	--
		52	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 5fa4da0fb8..083ee4b337 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -44,6 +44,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
44	file://CVE-2023-43115.patch \	44	file://CVE-2023-43115.patch \
45	file://CVE-2023-46751.patch \	45	file://CVE-2023-46751.patch \
46	file://CVE-2024-33870.patch \	46	file://CVE-2024-33870.patch \
		47	file://CVE-2024-33869-0001.patch \
		48	file://CVE-2024-33869-0002.patch \
47	"	49	"
48		50
49	SRC_URI = "${SRC_URI_BASE} \	51	SRC_URI = "${SRC_URI_BASE} \