diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2025-04-08 16:27:16 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-04-11 08:36:03 -0700 |
| commit | d80ece64abe66fe082d26ef7123012dc3a14ac5e (patch) | |
| tree | 9969852c2b1db1f76e5f10333fd2d14a63f22bcc | |
| parent | 57c7ce919377795011452c1e97ee65c1c713bdba (diff) | |
| download | poky-d80ece64abe66fe082d26ef7123012dc3a14ac5e.tar.gz | |
ghostscript: Fix CVE-2025-27830
Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f]
(From OE-Core rev: bc74ad209b243b131ea5467b871339f1773ba64b)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch | 79 | ||||
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 1 |
2 files changed, 80 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch new file mode 100644 index 0000000000..a516b8ad41 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch | |||
| @@ -0,0 +1,79 @@ | |||
| 1 | From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Zdenek Hutyra <zhutyra@centrum.cz> | ||
| 3 | Date: Mon, 13 Jan 2025 09:15:01 +0000 | ||
| 4 | Subject: [PATCH] Bug 708241: Fix potential Buffer overflow with DollarBlend | ||
| 5 | |||
| 6 | During serializing a multiple master font for passing to Freetype. | ||
| 7 | |||
| 8 | Use CVE-2025-27830 | ||
| 9 | |||
| 10 | Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f] | ||
| 11 | CVE: CVE-2025-27830 | ||
| 12 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 13 | --- | ||
| 14 | base/write_t1.c | 7 ++++--- | ||
| 15 | psi/zfapi.c | 9 +++++++-- | ||
| 16 | 2 files changed, 11 insertions(+), 5 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/base/write_t1.c b/base/write_t1.c | ||
| 19 | index 52902be..d6b2454 100644 | ||
| 20 | --- a/base/write_t1.c | ||
| 21 | +++ b/base/write_t1.c | ||
| 22 | @@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri | ||
| 23 | WRF_wbyte(a_fapi_font->memory, a_output, '\n'); | ||
| 24 | if (is_MM_font(a_fapi_font)) { | ||
| 25 | short x, x2; | ||
| 26 | + unsigned short ux; | ||
| 27 | float x1; | ||
| 28 | uint i, j, entries; | ||
| 29 | char Buffer[255]; | ||
| 30 | @@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri | ||
| 31 | */ | ||
| 32 | code = a_fapi_font->get_word(a_fapi_font, | ||
| 33 | gs_fapi_font_feature_DollarBlend_length, | ||
| 34 | - 0, (unsigned short *)&x); | ||
| 35 | + 0, &ux); | ||
| 36 | if (code < 0) | ||
| 37 | return code; | ||
| 38 | |||
| 39 | - if (x > 0) { | ||
| 40 | + if (ux > 0) { | ||
| 41 | int len; | ||
| 42 | WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); | ||
| 43 | |||
| 44 | if (a_output->m_count) | ||
| 45 | - a_output->m_count += x; | ||
| 46 | + a_output->m_count += ux; | ||
| 47 | len = a_fapi_font->get_proc(a_fapi_font, | ||
| 48 | gs_fapi_font_feature_DollarBlend, 0, | ||
| 49 | (char *)a_output->m_pos); | ||
| 50 | diff --git a/psi/zfapi.c b/psi/zfapi.c | ||
| 51 | index 0b3ab1c..1ffef47 100644 | ||
| 52 | --- a/psi/zfapi.c | ||
| 53 | +++ b/psi/zfapi.c | ||
| 54 | @@ -682,7 +682,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig | ||
| 55 | } | ||
| 56 | for (i = 0; i < r_size(DBlend); i++) { | ||
| 57 | if (array_get(ff->memory, DBlend, i, &Element) < 0) { | ||
| 58 | - *ret = 0; | ||
| 59 | + length = 0; | ||
| 60 | break; | ||
| 61 | } | ||
| 62 | switch (r_btype(&Element)) { | ||
| 63 | @@ -709,7 +709,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig | ||
| 64 | default: | ||
| 65 | break; | ||
| 66 | } | ||
| 67 | - } | ||
| 68 | + | ||
| 69 | + if (length > max_ushort) { | ||
| 70 | + length = 0; | ||
| 71 | + break; | ||
| 72 | + } | ||
| 73 | + } | ||
| 74 | *ret = length; | ||
| 75 | break; | ||
| 76 | } | ||
| 77 | -- | ||
| 78 | 2.25.1 | ||
| 79 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 6d425710b5..dae8dff813 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | |||
| @@ -62,6 +62,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
| 62 | file://CVE-2024-46953.patch \ | 62 | file://CVE-2024-46953.patch \ |
| 63 | file://CVE-2024-46955.patch \ | 63 | file://CVE-2024-46955.patch \ |
| 64 | file://CVE-2024-46956.patch \ | 64 | file://CVE-2024-46956.patch \ |
| 65 | file://CVE-2025-27830.patch \ | ||
| 65 | " | 66 | " |
| 66 | 67 | ||
| 67 | SRC_URI = "${SRC_URI_BASE} \ | 68 | SRC_URI = "${SRC_URI_BASE} \ |