ghostscript: Fix CVE-2025-27836

Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919 & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d84efb73723384a8b7fb3989c824cfa218060085] (From OE-Core rev: 7399cf17590204f8289f356cce4575592d6e3536) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-04-08 16:27:21 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-04-11 08:36:03 -0700
commit: 378cd5368d34d9ed4b20c9a2c17f53dd64fc48c9 (patch)
tree: 4dd7f8beae5059d33c4f0ea48735197ec5d3b063
parent: 21f4513cd1ce917acd8261f60cf3f4d668867f9f (diff)
download: poky-378cd5368d34d9ed4b20c9a2c17f53dd64fc48c9.tar.gz
3 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch
new file mode 100644
index 0000000000..bd32456b99
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch
@@ -0,0 +1,64 @@
+From 8b6d19b2b4079da6863ef25f2370f25d4b054919 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 13 Jan 2025 09:07:57 +0000
+Subject: Bug 708192: Fix potential print buffer overflow
+CVE-2025-27836
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919]
+CVE: CVE-2025-27836
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ contrib/japanese/gdev10v.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
+index 0bd3cec02..9d27573dc 100644
+--- a/contrib/japanese/gdev10v.c
+++ b/contrib/japanese/gdev10v.c
+@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
+         int bytes_per_column = bits_per_column / 8;
+         int x_skip_unit = bytes_per_column * (xres / 180);
+         int y_skip_unit = (yres / 180);
+-        byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
+-        /* We need one extra byte in <out> for our sentinel. */
+-        byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+        byte *in, *out;
+         int lnum = 0;
+         int y_skip = 0;
+         int code = 0;
+         int blank_lines = 0;
+         int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
+ 
+-        if ( in == 0 || out == 0 )
+-                return -1;
+        if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
+            code = gs_note_error(gs_error_rangecheck);
+            goto error;
+        }
+
+        in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
+        /* We need one extra byte in <out> for our sentinel. */
+        out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
+        if ( in == NULL || out == NULL ) {
+            code = gs_note_error(gs_error_VMerror);
+            goto error;
+        }
+ 
+         /* Initialize the printer. */
+         prn_puts(pdev, "\033@");
+@@ -320,8 +328,10 @@ notz:
+            }
+ 
+         /* Eject the page */
+-xit:   prn_putc(pdev, 014);    /* form feed */
+xit:
+        prn_putc(pdev, 014); /* form feed */
+         prn_flush(pdev);
+error:
+         gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
+         gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
+         return code;
+-- 
+cgit v1.2.3
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch
new file mode 100644
index 0000000000..2e3817bdae
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch
@@ -0,0 +1,46 @@
+From d84efb73723384a8b7fb3989c824cfa218060085 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 13 Mar 2025 11:01:16 +0000
+Subject: Fix Coverity IDs 457699 and 457700
+Not sure if Coverity has been updated, this is ancient contrib code
+which has not changed for a long time.
+However, fix the warning by initialising the pointers to NULL, and then
+avoid trying to free them if they are NULL.
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d84efb73723384a8b7fb3989c824cfa218060085]
+CVE: CVE-2025-27836
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ contrib/japanese/gdev10v.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
+index 9d27573dc..4d47200e5 100644
+--- a/contrib/japanese/gdev10v.c
+++ b/contrib/japanese/gdev10v.c
+@@ -199,7 +199,7 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
+         int bytes_per_column = bits_per_column / 8;
+         int x_skip_unit = bytes_per_column * (xres / 180);
+         int y_skip_unit = (yres / 180);
+-        byte *in, *out;
+        byte *in = NULL, *out = NULL;
+         int lnum = 0;
+         int y_skip = 0;
+         int code = 0;
+@@ -332,7 +332,9 @@ xit:
+         prn_putc(pdev, 014); /* form feed */
+         prn_flush(pdev);
+ error:
+-        gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
+-        gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
+        if (out != NULL)
+            gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
+        if (in != NULL)
+            gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
+         return code;
+ }
+-- 
+cgit v1.2.3
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index abc0238ddc..8499bb3676 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -68,6 +68,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2025-27832.patch \
                file://CVE-2025-27834.patch \
                file://CVE-2025-27835.patch \
+                file://CVE-2025-27836-1.patch \
+                file://CVE-2025-27836-2.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Vijay Anusuri <vanusuri@mvista.com>	2025-04-08 16:27:21 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-04-11 08:36:03 -0700
commit	378cd5368d34d9ed4b20c9a2c17f53dd64fc48c9 (patch)
tree	4dd7f8beae5059d33c4f0ea48735197ec5d3b063
parent	21f4513cd1ce917acd8261f60cf3f4d668867f9f (diff)
download	poky-378cd5368d34d9ed4b20c9a2c17f53dd64fc48c9.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch new file mode 100644 index 0000000000..bd32456b99 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch
@@ -0,0 +1,64 @@
		1	From 8b6d19b2b4079da6863ef25f2370f25d4b054919 Mon Sep 17 00:00:00 2001
		2	From: Zdenek Hutyra <zhutyra@centrum.cz>
		3	Date: Mon, 13 Jan 2025 09:07:57 +0000
		4	Subject: Bug 708192: Fix potential print buffer overflow
		5
		6	CVE-2025-27836
		7
		8	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919]
		9	CVE: CVE-2025-27836
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	contrib/japanese/gdev10v.c \| 22 ++++++++++++++++------
		13	1 file changed, 16 insertions(+), 6 deletions(-)
		14
		15	diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
		16	index 0bd3cec02..9d27573dc 100644
		17	--- a/contrib/japanese/gdev10v.c
		18	+++ b/contrib/japanese/gdev10v.c
		19	@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer pdev, gp_file prn_stream)
		20	int bytes_per_column = bits_per_column / 8;
		21	int x_skip_unit = bytes_per_column * (xres / 180);
		22	int y_skip_unit = (yres / 180);
		23	- byte in = (byte )gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
		24	- /* We need one extra byte in <out> for our sentinel. */
		25	- byte out = (byte )gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
		26	+ byte in, out;
		27	int lnum = 0;
		28	int y_skip = 0;
		29	int code = 0;
		30	int blank_lines = 0;
		31	int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
		32
		33	- if ( in == 0 \|\| out == 0 )
		34	- return -1;
		35	+ if (bits_per_column == 0 \|\| line_size > (max_int - 1) / bits_per_column) {
		36	+ code = gs_note_error(gs_error_rangecheck);
		37	+ goto error;
		38	+ }
		39	+
		40	+ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
		41	+ /* We need one extra byte in <out> for our sentinel. */
		42	+ out = (byte )gs_malloc(pdev->memory->non_gc_memory, bits_per_column line_size + 1, 1, "bj10v_print_page(out)");
		43	+ if ( in == NULL \|\| out == NULL ) {
		44	+ code = gs_note_error(gs_error_VMerror);
		45	+ goto error;
		46	+ }
		47
		48	/* Initialize the printer. */
		49	prn_puts(pdev, "\033@");
		50	@@ -320,8 +328,10 @@ notz:
		51	}
		52
		53	/* Eject the page */
		54	-xit: prn_putc(pdev, 014); /* form feed */
		55	+xit:
		56	+ prn_putc(pdev, 014); /* form feed */
		57	prn_flush(pdev);
		58	+error:
		59	gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
		60	gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
		61	return code;
		62	--
		63	cgit v1.2.3
		64


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch new file mode 100644 index 0000000000..2e3817bdae --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch
@@ -0,0 +1,46 @@
		1	From d84efb73723384a8b7fb3989c824cfa218060085 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Thu, 13 Mar 2025 11:01:16 +0000
		4	Subject: Fix Coverity IDs 457699 and 457700
		5
		6	Not sure if Coverity has been updated, this is ancient contrib code
		7	which has not changed for a long time.
		8
		9	However, fix the warning by initialising the pointers to NULL, and then
		10	avoid trying to free them if they are NULL.
		11
		12	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d84efb73723384a8b7fb3989c824cfa218060085]
		13	CVE: CVE-2025-27836
		14	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		15	---
		16	contrib/japanese/gdev10v.c \| 8 +++++---
		17	1 file changed, 5 insertions(+), 3 deletions(-)
		18
		19	diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
		20	index 9d27573dc..4d47200e5 100644
		21	--- a/contrib/japanese/gdev10v.c
		22	+++ b/contrib/japanese/gdev10v.c
		23	@@ -199,7 +199,7 @@ bj10v_print_page(gx_device_printer pdev, gp_file prn_stream)
		24	int bytes_per_column = bits_per_column / 8;
		25	int x_skip_unit = bytes_per_column * (xres / 180);
		26	int y_skip_unit = (yres / 180);
		27	- byte in, out;
		28	+ byte in = NULL, out = NULL;
		29	int lnum = 0;
		30	int y_skip = 0;
		31	int code = 0;
		32	@@ -332,7 +332,9 @@ xit:
		33	prn_putc(pdev, 014); /* form feed */
		34	prn_flush(pdev);
		35	error:
		36	- gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
		37	- gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
		38	+ if (out != NULL)
		39	+ gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
		40	+ if (in != NULL)
		41	+ gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
		42	return code;
		43	}
		44	--
		45	cgit v1.2.3
		46


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index abc0238ddc..8499bb3676 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -68,6 +68,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
68	file://CVE-2025-27832.patch \	68	file://CVE-2025-27832.patch \
69	file://CVE-2025-27834.patch \	69	file://CVE-2025-27834.patch \
70	file://CVE-2025-27835.patch \	70	file://CVE-2025-27835.patch \
		71	file://CVE-2025-27836-1.patch \
		72	file://CVE-2025-27836-2.patch \
71	"	73	"
72		74
73	SRC_URI = "${SRC_URI_BASE} \	75	SRC_URI = "${SRC_URI_BASE} \