ghostscript: fix CVE-2023-38559

A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-38559 Upstream patch: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f (From OE-Core rev: e77c0b35969ae690b390ffae682fd6552ff8aff8) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-08-10 10:23:53 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-08-19 05:56:58 -1000
commit: 8e90df16f5d7aa300d1379b4ed0faf06758f632d (patch)
tree: d61ffe498dfc8cf1ca995e005e221b9f051baa91
parent: ab548842efd4d4e238880a88ac9de5ddb7d27798 (diff)
download: poky-8e90df16f5d7aa300d1379b4ed0faf06758f632d.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch
new file mode 100644
index 0000000000..2b2b85fa27
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch
@@ -0,0 +1,32 @@
+From 34b0eec257c3a597e0515946f17fb973a33a7b5b Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
+ devices/gdevpcx.c
+Bounds check the buffer, before dereferencing the pointer.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f]
+CVE: CVE-2023-38559
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index f679127..66c771b 100644
+--- a/base/gdevdevn.c
+++ b/base/gdevdevn.c
+@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
+         byte data = *from;
+         from += step;
+-        if (data != *from || from == end) {
+        if (from >= end || data != *from) {
+             if (data >= 0xc0)
+                 gp_fputc(0xc1, file);
+         } else {
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 48508fd6a2..ad0b008cab 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -37,6 +37,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://cve-2023-28879.patch \
                file://CVE-2023-36664-0001.patch \
                file://CVE-2023-36664-0002.patch \
+                file://CVE-2023-38559.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-08-10 10:23:53 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-08-19 05:56:58 -1000
commit	8e90df16f5d7aa300d1379b4ed0faf06758f632d (patch)
tree	d61ffe498dfc8cf1ca995e005e221b9f051baa91
parent	ab548842efd4d4e238880a88ac9de5ddb7d27798 (diff)
download	poky-8e90df16f5d7aa300d1379b4ed0faf06758f632d.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch new file mode 100644 index 0000000000..2b2b85fa27 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch
@@ -0,0 +1,32 @@
		1	From 34b0eec257c3a597e0515946f17fb973a33a7b5b Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Mon, 17 Jul 2023 14:06:37 +0100
		4	Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
		5	devices/gdevpcx.c
		6
		7	Bounds check the buffer, before dereferencing the pointer.
		8
		9	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f]
		10
		11	CVE: CVE-2023-38559
		12
		13	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		14	---
		15	base/gdevdevn.c \| 2 +-
		16	1 file changed, 1 insertion(+), 1 deletion(-)
		17
		18	diff --git a/base/gdevdevn.c b/base/gdevdevn.c
		19	index f679127..66c771b 100644
		20	--- a/base/gdevdevn.c
		21	+++ b/base/gdevdevn.c
		22	@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
		23	byte data = *from;
		24
		25	from += step;
		26	- if (data != *from \|\| from == end) {
		27	+ if (from >= end \|\| data != *from) {
		28	if (data >= 0xc0)
		29	gp_fputc(0xc1, file);
		30	} else {
		31	--
		32	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 48508fd6a2..ad0b008cab 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -37,6 +37,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
37	file://cve-2023-28879.patch \	37	file://cve-2023-28879.patch \
38	file://CVE-2023-36664-0001.patch \	38	file://CVE-2023-36664-0001.patch \
39	file://CVE-2023-36664-0002.patch \	39	file://CVE-2023-36664-0002.patch \
		40	file://CVE-2023-38559.patch \
40	"	41	"
41		42
42	SRC_URI = "${SRC_URI_BASE} \	43	SRC_URI = "${SRC_URI_BASE} \