ghostscript: fix CVE-2024-29510

(From OE-Core rev: 18e03cadcad0b416ef9fe65627e2e5c2924e3f26) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-05-29 05:41:19 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-06-01 19:07:52 -0700
commit: 2db6158ba5446c1e2223efb8f5c58e1d89174843 (patch)
tree: 6a67e7e40069bafc3cefbb8b802cd21c2d6a4712
parent: c44a4b49581df737b06390ce1ec74d4541df1c70 (diff)
download: poky-2db6158ba5446c1e2223efb8f5c58e1d89174843.tar.gz
2 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
new file mode 100644
index 0000000000..0234c79c7d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
@@ -0,0 +1,84 @@
+From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 21 Mar 2024 09:01:15 +0000
+Subject: [PATCH 4/5] Uniprint device - prevent string configuration changes
+ when SAFER
+Bug #707662
+We cannot sanitise the string arguments used by the Uniprint device
+because they can potentially include anything.
+This commit ensures that these strings are locked and cannot be
+changed by PostScript once SAFER is activated. Full configuration from
+the command line is still possible (see the *.upp files in lib).
+This addresses CVE-2024-29510
+CVE: CVE-2024-29510
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+diff --git a/devices/gdevupd.c b/devices/gdevupd.c
+index 6635984..7952165 100644
+--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
+@@ -1886,6 +1886,16 @@ out on this copies.
+       if(!upd_strings[i]) continue;
+       UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
+       if(0 == code) {
+        if (gs_is_path_control_active(udev->memory)) {
+            if (strings[i].size != value.size)
+              error = gs_error_invalidaccess;
+            else {
+                if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+                    error = gs_error_invalidaccess;
+            }
+            if (error < 0)
+                goto exit;
+        }
+          if(0 <= error) error |= UPD_PUT_STRINGS;
+          UPD_MM_DEL_PARAM(udev->memory, strings[i]);
+          if(!value.size) {
+@@ -1903,6 +1913,26 @@ out on this copies.
+       if(!upd_string_a[i]) continue;
+       UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
+       if(0 == code) {
+          if (gs_is_path_control_active(udev->memory)) {
+              if (string_a[i].size != value.size)
+                  error = gs_error_invalidaccess;
+              else {
+                  int loop;
+                  for (loop = 0;loop < string_a[i].size;loop++) {
+                      gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+                      gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+                      if (tmp1->size != tmp2->size)
+                          error = gs_error_invalidaccess;
+                      else {
+                          if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+                              error = gs_error_invalidaccess;
+                      }
+                  }
+              }
+            if (error < 0)
+                goto exit;
+          }
+          if(0 <= error) error |= UPD_PUT_STRING_A;
+          UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
+          if(!value.size) {
+@@ -2097,6 +2127,7 @@ transferred into the device-structure. In the case of "uniprint", this may
+       if(0 > code) error = code;
+    }
+exit:
+    if(0 < error) { /* Actually something loaded without error */
+       if(!(upd = udev->upd)) {
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 36c5aa3285..1fd08d1cfe 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -48,6 +48,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2024-33869-0002.patch \
                file://CVE-2024-33871-0001.patch \
                file://CVE-2024-33871-0002.patch \
+                file://CVE-2024-29510.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-05-29 05:41:19 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-06-01 19:07:52 -0700
commit	2db6158ba5446c1e2223efb8f5c58e1d89174843 (patch)
tree	6a67e7e40069bafc3cefbb8b802cd21c2d6a4712
parent	c44a4b49581df737b06390ce1ec74d4541df1c70 (diff)
download	poky-2db6158ba5446c1e2223efb8f5c58e1d89174843.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch new file mode 100644 index 0000000000..0234c79c7d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
@@ -0,0 +1,84 @@
		1	From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Thu, 21 Mar 2024 09:01:15 +0000
		4	Subject: [PATCH 4/5] Uniprint device - prevent string configuration changes
		5	when SAFER
		6
		7	Bug #707662
		8
		9	We cannot sanitise the string arguments used by the Uniprint device
		10	because they can potentially include anything.
		11
		12	This commit ensures that these strings are locked and cannot be
		13	changed by PostScript once SAFER is activated. Full configuration from
		14	the command line is still possible (see the *.upp files in lib).
		15
		16	This addresses CVE-2024-29510
		17
		18	CVE: CVE-2024-29510
		19
		20	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
		21
		22	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		23	---
		24	devices/gdevupd.c \| 31 +++++++++++++++++++++++++++++++
		25	1 file changed, 31 insertions(+)
		26
		27	diff --git a/devices/gdevupd.c b/devices/gdevupd.c
		28	index 6635984..7952165 100644
		29	--- a/devices/gdevupd.c
		30	+++ b/devices/gdevupd.c
		31	@@ -1886,6 +1886,16 @@ out on this copies.
		32	if(!upd_strings[i]) continue;
		33	UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
		34	if(0 == code) {
		35	+ if (gs_is_path_control_active(udev->memory)) {
		36	+ if (strings[i].size != value.size)
		37	+ error = gs_error_invalidaccess;
		38	+ else {
		39	+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
		40	+ error = gs_error_invalidaccess;
		41	+ }
		42	+ if (error < 0)
		43	+ goto exit;
		44	+ }
		45	if(0 <= error) error \|= UPD_PUT_STRINGS;
		46	UPD_MM_DEL_PARAM(udev->memory, strings[i]);
		47	if(!value.size) {
		48	@@ -1903,6 +1913,26 @@ out on this copies.
		49	if(!upd_string_a[i]) continue;
		50	UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
		51	if(0 == code) {
		52	+ if (gs_is_path_control_active(udev->memory)) {
		53	+ if (string_a[i].size != value.size)
		54	+ error = gs_error_invalidaccess;
		55	+ else {
		56	+ int loop;
		57	+ for (loop = 0;loop < string_a[i].size;loop++) {
		58	+ gs_param_string tmp1 = (gs_param_string )&(string_a[i].data[loop]);
		59	+ gs_param_string tmp2 = (gs_param_string )&value.data[loop];
		60	+
		61	+ if (tmp1->size != tmp2->size)
		62	+ error = gs_error_invalidaccess;
		63	+ else {
		64	+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
		65	+ error = gs_error_invalidaccess;
		66	+ }
		67	+ }
		68	+ }
		69	+ if (error < 0)
		70	+ goto exit;
		71	+ }
		72	if(0 <= error) error \|= UPD_PUT_STRING_A;
		73	UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
		74	if(!value.size) {
		75	@@ -2097,6 +2127,7 @@ transferred into the device-structure. In the case of "uniprint", this may
		76	if(0 > code) error = code;
		77	}
		78
		79	+exit:
		80	if(0 < error) { /* Actually something loaded without error */
		81
		82	if(!(upd = udev->upd)) {
		83	--
		84	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 36c5aa3285..1fd08d1cfe 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -48,6 +48,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
48	file://CVE-2024-33869-0002.patch \	48	file://CVE-2024-33869-0002.patch \
49	file://CVE-2024-33871-0001.patch \	49	file://CVE-2024-33871-0001.patch \
50	file://CVE-2024-33871-0002.patch \	50	file://CVE-2024-33871-0002.patch \
		51	file://CVE-2024-29510.patch \
51	"	52	"
52		53
53	SRC_URI = "${SRC_URI_BASE} \	54	SRC_URI = "${SRC_URI_BASE} \