ghostscript: Backport CVE-2024-29508

Import patch from ubuntu to fix CVE-2024-29508 Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a] Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a (From OE-Core rev: c5a85dfe661543137e40976e832ac22e4815406a) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ashish Sharma <asharma@mvista.com> 2024-10-18 17:49:52 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-11-02 06:32:36 -0700
commit: f167cac8568e3c5e7e97bd79b18a47360b6e5630 (patch)
tree: a7b92f4e9661cd797d48df9a065b142894c97113
parent: 1669ae700a96b06f870e050868c6cb5ec0944161 (diff)
download: poky-f167cac8568e3c5e7e97bd79b18a47360b6e5630.tar.gz
3 files changed, 339 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-1.patch
new file mode 100644
index 0000000000..cb3b736289
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-1.patch
@@ -0,0 +1,308 @@
+Backport of:
+Note: updated to fix compiler warning.
+From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 25 Jan 2024 11:53:44 +0000
+Subject: Bug 707510 - review printing of pointers
+This is for item 4 of the report, which is addressed by the change in
+gdevpdtb.c. That change uses a fixed name for fonts which have no name
+instead of using the pointer to the address of the font.
+The remaining changes are all due to reviewing the use of PRI_INTPTR.
+In general we only use that for debugging purposes but there were a few
+places which were printing pointers arbitrarily, even in a release build.
+We really don't want to do that so I've modified the places which were
+printing pointer unconditionally so that they only do so if DEBUG is
+set at compile time, or a specific debug flag is set.
+CVE: CVE-2024-29508
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a]
+Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ base/gsfont.c             | 4 ++--
+ base/gsicc_cache.c        | 8 ++++----
+ base/gsmalloc.c           | 4 ++--
+ base/gxclmem.c            | 5 ++---
+ base/gxcpath.c            | 6 +++++-
+ base/gxpath.c             | 8 +++++++-
+ base/szlibc.c             | 4 +++-
+ devices/gdevupd.c         | 7 ++++++-
+ devices/vector/gdevpdtb.c | 4 ++--
+ psi/ialloc.c              | 4 ++--
+ psi/igc.c                 | 6 +++---
+ psi/igcstr.c              | 6 +++---
+ psi/iinit.c               | 6 +++++-
+ psi/imainarg.c            | 5 +++--
+ psi/isave.c               | 4 ++--
+ psi/iutil.c               | 6 +++++-
+ 16 files changed, 56 insertions(+), 31 deletions(-)
+--- a/base/gsfont.c
+++ b/base/gsfont.c
+@@ -778,7 +778,7 @@ gs_purge_font(gs_font * pfont)
+     else if (pdir->scaled_fonts == pfont)
+         pdir->scaled_fonts = next;
+     else {                     /* Shouldn't happen! */
+-        lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
+        if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
+     }
+ 
+     /* Purge the font from the scaled font cache. */
+--- a/base/gsicc_cache.c
+++ b/base/gsicc_cache.c
+@@ -149,7 +149,7 @@ icc_linkcache_finalize(const gs_memory_t
+ 
+     while (link_cache->head != NULL) {
+         if (link_cache->head->ref_count != 0) {
+-            emprintf2(mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
+            if_debug2m(gs_debug_flag_icc, mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
+                       (intptr_t)link_cache->head, link_cache->head->ref_count);
+             link_cache->head->ref_count = 0;   /* force removal */
+         }
+@@ -560,7 +560,7 @@ gsicc_findcachelink(gsicc_hashlink_t has
+                 /* that was building it failed to be able to complete building it              */
+                 /* this is probably a fatal error. MV ???                                      */
+                 if (curr->valid == false) {
+-                 emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr);   /* Breakpoint here */
+                 if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr);       /* Breakpoint here */
+                 }
+                 gx_monitor_enter(icc_link_cache->lock);        /* re-enter to loop and check */
+             }
+@@ -587,7 +587,7 @@ gsicc_remove_link(gsicc_link_t *link, co
+     /* NOTE: link->ref_count must be 0: assert ? */
+     gx_monitor_enter(icc_link_cache->lock);
+     if (link->ref_count != 0) {
+-      emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
+      if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
+     }
+     curr = icc_link_cache->head;
+     prev = NULL;
+--- a/base/gsmalloc.c
+++ b/base/gsmalloc.c
+@@ -419,7 +419,7 @@ gs_heap_resize_string(gs_memory_t * mem,
+                       client_name_t cname)
+ {
+     if (gs_heap_object_type(mem, data) != &st_bytes)
+-        lprintf2("%s: resizing non-string "PRI_INTPTR"!\n",
+        if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n",
+                  client_name_string(cname), (intptr_t)data);
+     return gs_heap_resize_object(mem, data, new_num, cname);
+ }
+--- a/base/gxclmem.c
+++ b/base/gxclmem.c
+@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const
+     /* leaks if other users of the memfile don't 'fclose with delete=true */
+     if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) {
+         /* TODO: do the cleanup rather than just giving an error */
+-        emprintf1(f->memory,
+-                  "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
+        if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
+                   (intptr_t)f);
+         return_error(gs_error_invalidfileaccess);
+     } else {
+--- a/base/gxcpath.c
+++ b/base/gxcpath.c
+@@ -172,8 +172,10 @@ gx_cpath_init_contained_shared(gx_clip_p
+ {
+     if (shared) {
+         if (shared->path.segments == &shared->path.local_segments) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             return_error(gs_error_Fatal);
+         }
+         *pcpath = *shared;
+@@ -230,8 +232,10 @@ gx_cpath_init_local_shared_nested(gx_cli
+     if (shared) {
+         if ((shared->path.segments == &shared->path.local_segments) &&
+             !safely_nested) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             return_error(gs_error_Fatal);
+         }
+         pcpath->path = shared->path;
+--- a/base/gxpath.c
+++ b/base/gxpath.c
+@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path *
+ {
+     if (shared) {
+         if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             return_error(gs_error_Fatal);
+         }
+         *ppath = *shared;
+@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * sha
+     ppath->procs = &default_path_procs;
+     if (shared) {
+         if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             gs_free_object(mem, ppath, cname);
+             return 0;
+         }
+@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppat
+ {
+     if (shared) {
+         if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             return_error(gs_error_Fatal);
+         }
+         *ppath = *shared;
+--- a/base/szlibc.c
+++ b/base/szlibc.c
+@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data)
+     gs_free_object(mem, data, "s_zlib_free(data)");
+     for (; ; block = block->next) {
+         if (block == 0) {
+#ifdef DEBUG
+             lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data);
+#endif
+             return;
+         }
+         if (block->data == data)
+--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
+@@ -1039,8 +1039,13 @@ upd_print_page(gx_device_printer *pdev,
+  */
+    if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) {
+ #if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS)
+#ifdef DEBUG
+          errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
+              (intptr_t)udev,(intptr_t) out);
+#else
+         errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+             (intptr_t)udev,(intptr_t) out);
+#endif
+ #endif
+         return_error(gs_error_undefined);
+    }
+--- a/devices/vector/gdevpdtb.c
+++ b/devices/vector/gdevpdtb.c
+@@ -371,7 +371,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev,
+             font_name.size -= SUBSET_PREFIX_SIZE;
+         }
+     } else {
+-        gs_sprintf(fnbuf, ".F" PRI_INTPTR, (intptr_t)copied);
+        gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous");
+         font_name.data = (byte *)fnbuf;
+         font_name.size = strlen(fnbuf);
+     }
+--- a/psi/ialloc.c
+++ b/psi/ialloc.c
+@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem,
+                 size = num_refs * sizeof(ref);
+                 break;
+             default:
+-                lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
+                if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
+                          r_type(parr), num_refs, (intptr_t)obj);
+                 return;
+         }
+--- a/psi/igc.c
+++ b/psi/igc.c
+@@ -1061,7 +1061,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_
+ 
+             if (cp == 0) {     /* We were tracing outside collectible */
+                 /* storage.  This can't happen. */
+-                lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
+                if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
+                          (intptr_t)cptr);
+                 gs_abort(pstate->heap);
+             }
+@@ -1290,7 +1290,7 @@ igc_reloc_struct_ptr(const void /*obj_he
+ 
+             if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj <cp->ctop) {
+                 if (back > (cp->ctop - cp->cbase) >> obj_back_shift) {
+-                    lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n",
+                    if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n",
+                              back, (intptr_t)obj);
+                     gs_abort(NULL);
+                 }
+--- a/psi/igcstr.c
+++ b/psi/igcstr.c
+@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint si
+         return false;
+ #ifdef DEBUG
+     if (ptr - HDR_ID_OFFSET < cp->ctop) {
+-        lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+        if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+                  (intptr_t)ptr - HDR_ID_OFFSET, size, (intptr_t)cp->ctop, (intptr_t)cp->climit);
+         return false;
+     } else if (ptr + size > cp->climit) {      /*
+@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint si
+         while (ptr - HDR_ID_OFFSET == scp->climit && scp->outer != 0)
+             scp = scp->outer;
+         if (ptr - HDR_ID_OFFSET + size > scp->climit) {
+-            lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+            if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+                      (intptr_t)ptr - HDR_ID_OFFSET, size,
+                      (intptr_t)scp->ctop, (intptr_t)scp->climit);
+             return false;
+--- a/psi/iinit.c
+++ b/psi/iinit.c
+@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p)
+         if (def->proc != 0) {
+             code = def->proc(i_ctx_p);
+             if (code < 0) {
+#ifdef DEBUG
+                 lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n",
+                          (intptr_t)def->proc, code);
+#else
+                lprintf("op_init proc returned error !\n");
+#endif
+                 return code;
+             }
+         }
+--- a/psi/imainarg.c
+++ b/psi/imainarg.c
+@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instanc
+                 if (gs_debug[':'] && !have_dumped_args) {
+                     int i;
+ 
+-                    dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
+                    if (gs_debug_c(gs_debug_flag_init_details))
+                        dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
+                               (intptr_t)minst);
+                     for (i=1; i<argc; i++)
+                         dmprintf1(minst->heap, "%s ", argv[i]);
+--- a/psi/isave.c
+++ b/psi/isave.c
+@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *me
+     else if (r_is_struct(pcont))
+         cp->offset = (byte *) where - (byte *) pcont->value.pstruct;
+     else {
+-        lprintf3("Bad type %u for save!  pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
+        if_debug3('u', "Bad type %u for save!  pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
+                  r_type(pcont), (intptr_t) pcont, (intptr_t) where);
+         gs_abort((const gs_memory_t *)mem);
+     }
+--- a/psi/iutil.c
+++ b/psi/iutil.c
+@@ -537,7 +537,11 @@ other:
+             break;
+         }
+         /* Internal operator, no name. */
+-        gs_sprintf(buf, "@"PRI_INTPTR, (intptr_t) op->value.opproc);
+#ifdef DEBUG
+        gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc);
+#else
+        gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc);
+#endif
+         break;
+     }
+     case t_real:
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-2.patch
new file mode 100644
index 0000000000..11f89e0882
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-2.patch
@@ -0,0 +1,29 @@
+From d084021e06ba1caa1373fbbcf24a8510f43830ab Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Sat, 27 Jan 2024 09:30:30 +0000
+Subject: [PATCH] Coverity IDs 414141 & 414145
+These are the same problem reported two different ways. I forgot to
+remove the arguments to errprintf when I removed the format specifiers
+from the string as part of reviewing the pointer printing.
+CVE: CVE-2024-29508
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a]
+Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ devices/gdevupd.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
+@@ -1043,8 +1043,7 @@ upd_print_page(gx_device_printer *pdev,
+          errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
+              (intptr_t)udev,(intptr_t) out);
+ #else
+-         errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+-             (intptr_t)udev,(intptr_t) out);
+         errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n");
+ #endif
+ #endif
+         return_error(gs_error_undefined);
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 525086e2af..969e637f5e 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -54,6 +54,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2024-29511-0002.patch \
                file://CVE-2024-29509.patch \
                file://CVE-2024-29506.patch \
+                file://CVE-2024-29508-1.patch \
+                file://CVE-2024-29508-2.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Ashish Sharma <asharma@mvista.com>	2024-10-18 17:49:52 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-11-02 06:32:36 -0700
commit	f167cac8568e3c5e7e97bd79b18a47360b6e5630 (patch)
tree	a7b92f4e9661cd797d48df9a065b142894c97113
parent	1669ae700a96b06f870e050868c6cb5ec0944161 (diff)
download	poky-f167cac8568e3c5e7e97bd79b18a47360b6e5630.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-1.patch new file mode 100644 index 0000000000..cb3b736289 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-1.patch
@@ -0,0 +1,308 @@
		1	Backport of:
		2	Note: updated to fix compiler warning.
		3
		4	From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
		5	From: Ken Sharp <Ken.Sharp@artifex.com>
		6	Date: Thu, 25 Jan 2024 11:53:44 +0000
		7	Subject: Bug 707510 - review printing of pointers
		8
		9	This is for item 4 of the report, which is addressed by the change in
		10	gdevpdtb.c. That change uses a fixed name for fonts which have no name
		11	instead of using the pointer to the address of the font.
		12
		13	The remaining changes are all due to reviewing the use of PRI_INTPTR.
		14	In general we only use that for debugging purposes but there were a few
		15	places which were printing pointers arbitrarily, even in a release build.
		16
		17	We really don't want to do that so I've modified the places which were
		18	printing pointer unconditionally so that they only do so if DEBUG is
		19	set at compile time, or a specific debug flag is set.
		20
		21	CVE: CVE-2024-29508
		22	Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a]
		23	Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a
		24	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		25
		26	base/gsfont.c \| 4 ++--
		27	base/gsicc_cache.c \| 8 ++++----
		28	base/gsmalloc.c \| 4 ++--
		29	base/gxclmem.c \| 5 ++---
		30	base/gxcpath.c \| 6 +++++-
		31	base/gxpath.c \| 8 +++++++-
		32	base/szlibc.c \| 4 +++-
		33	devices/gdevupd.c \| 7 ++++++-
		34	devices/vector/gdevpdtb.c \| 4 ++--
		35	psi/ialloc.c \| 4 ++--
		36	psi/igc.c \| 6 +++---
		37	psi/igcstr.c \| 6 +++---
		38	psi/iinit.c \| 6 +++++-
		39	psi/imainarg.c \| 5 +++--
		40	psi/isave.c \| 4 ++--
		41	psi/iutil.c \| 6 +++++-
		42	16 files changed, 56 insertions(+), 31 deletions(-)
		43
		44	--- a/base/gsfont.c
		45	+++ b/base/gsfont.c
		46	@@ -778,7 +778,7 @@ gs_purge_font(gs_font * pfont)
		47	else if (pdir->scaled_fonts == pfont)
		48	pdir->scaled_fonts = next;
		49	else { /* Shouldn't happen! */
		50	- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
		51	+ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
		52	}
		53
		54	/* Purge the font from the scaled font cache. */
		55	--- a/base/gsicc_cache.c
		56	+++ b/base/gsicc_cache.c
		57	@@ -149,7 +149,7 @@ icc_linkcache_finalize(const gs_memory_t
		58
		59	while (link_cache->head != NULL) {
		60	if (link_cache->head->ref_count != 0) {
		61	- emprintf2(mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
		62	+ if_debug2m(gs_debug_flag_icc, mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
		63	(intptr_t)link_cache->head, link_cache->head->ref_count);
		64	link_cache->head->ref_count = 0; /* force removal */
		65	}
		66	@@ -560,7 +560,7 @@ gsicc_findcachelink(gsicc_hashlink_t has
		67	/* that was building it failed to be able to complete building it */
		68	/* this is probably a fatal error. MV ??? */
		69	if (curr->valid == false) {
		70	- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
		71	+ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */
		72	}
		73	gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */
		74	}
		75	@@ -587,7 +587,7 @@ gsicc_remove_link(gsicc_link_t *link, co
		76	/* NOTE: link->ref_count must be 0: assert ? */
		77	gx_monitor_enter(icc_link_cache->lock);
		78	if (link->ref_count != 0) {
		79	- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
		80	+ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
		81	}
		82	curr = icc_link_cache->head;
		83	prev = NULL;
		84	--- a/base/gsmalloc.c
		85	+++ b/base/gsmalloc.c
		86	@@ -419,7 +419,7 @@ gs_heap_resize_string(gs_memory_t * mem,
		87	client_name_t cname)
		88	{
		89	if (gs_heap_object_type(mem, data) != &st_bytes)
		90	- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n",
		91	+ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n",
		92	client_name_string(cname), (intptr_t)data);
		93	return gs_heap_resize_object(mem, data, new_num, cname);
		94	}
		95	--- a/base/gxclmem.c
		96	+++ b/base/gxclmem.c
		97	@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const
		98	/* leaks if other users of the memfile don't 'fclose with delete=true */
		99	if (f->openlist != NULL \|\| ((f->base_memfile != NULL) && f->base_memfile->is_open)) {
		100	/* TODO: do the cleanup rather than just giving an error */
		101	- emprintf1(f->memory,
		102	- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
		103	+ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
		104	(intptr_t)f);
		105	return_error(gs_error_invalidfileaccess);
		106	} else {
		107	--- a/base/gxcpath.c
		108	+++ b/base/gxcpath.c
		109	@@ -172,8 +172,10 @@ gx_cpath_init_contained_shared(gx_clip_p
		110	{
		111	if (shared) {
		112	if (shared->path.segments == &shared->path.local_segments) {
		113	+#ifdef DEBUG
		114	lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
		115	(intptr_t)shared);
		116	+#endif
		117	return_error(gs_error_Fatal);
		118	}
		119	pcpath = shared;
		120	@@ -230,8 +232,10 @@ gx_cpath_init_local_shared_nested(gx_cli
		121	if (shared) {
		122	if ((shared->path.segments == &shared->path.local_segments) &&
		123	!safely_nested) {
		124	+#ifdef DEBUG
		125	lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
		126	(intptr_t)shared);
		127	+#endif
		128	return_error(gs_error_Fatal);
		129	}
		130	pcpath->path = shared->path;
		131	--- a/base/gxpath.c
		132	+++ b/base/gxpath.c
		133	@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path *
		134	{
		135	if (shared) {
		136	if (shared->segments == &shared->local_segments) {
		137	+#ifdef DEBUG
		138	lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
		139	(intptr_t)shared);
		140	+#endif
		141	return_error(gs_error_Fatal);
		142	}
		143	ppath = shared;
		144	@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * sha
		145	ppath->procs = &default_path_procs;
		146	if (shared) {
		147	if (shared->segments == &shared->local_segments) {
		148	+#ifdef DEBUG
		149	lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
		150	(intptr_t)shared);
		151	+#endif
		152	gs_free_object(mem, ppath, cname);
		153	return 0;
		154	}
		155	@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppat
		156	{
		157	if (shared) {
		158	if (shared->segments == &shared->local_segments) {
		159	+#ifdef DEBUG
		160	lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
		161	(intptr_t)shared);
		162	+#endif
		163	return_error(gs_error_Fatal);
		164	}
		165	ppath = shared;
		166	--- a/base/szlibc.c
		167	+++ b/base/szlibc.c
		168	@@ -110,7 +110,9 @@ s_zlib_free(void zmem, void data)
		169	gs_free_object(mem, data, "s_zlib_free(data)");
		170	for (; ; block = block->next) {
		171	if (block == 0) {
		172	+#ifdef DEBUG
		173	lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data);
		174	+#endif
		175	return;
		176	}
		177	if (block->data == data)
		178	--- a/devices/gdevupd.c
		179	+++ b/devices/gdevupd.c
		180	@@ -1039,8 +1039,13 @@ upd_print_page(gx_device_printer *pdev,
		181	*/
		182	if(!upd \|\| B_OK4GO != (upd->flags & (B_OK4GO \| B_ERROR))) {
		183	#if UPD_MESSAGES & (UPD_M_ERROR \| UPD_M_TOPCALLS)
		184	+#ifdef DEBUG
		185	errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
		186	(intptr_t)udev,(intptr_t) out);
		187	+#else
		188	+ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
		189	+ (intptr_t)udev,(intptr_t) out);
		190	+#endif
		191	#endif
		192	return_error(gs_error_undefined);
		193	}
		194	--- a/devices/vector/gdevpdtb.c
		195	+++ b/devices/vector/gdevpdtb.c
		196	@@ -371,7 +371,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev,
		197	font_name.size -= SUBSET_PREFIX_SIZE;
		198	}
		199	} else {
		200	- gs_sprintf(fnbuf, ".F" PRI_INTPTR, (intptr_t)copied);
		201	+ gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous");
		202	font_name.data = (byte *)fnbuf;
		203	font_name.size = strlen(fnbuf);
		204	}
		205	--- a/psi/ialloc.c
		206	+++ b/psi/ialloc.c
		207	@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem,
		208	size = num_refs * sizeof(ref);
		209	break;
		210	default:
		211	- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
		212	+ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
		213	r_type(parr), num_refs, (intptr_t)obj);
		214	return;
		215	}
		216	--- a/psi/igc.c
		217	+++ b/psi/igc.c
		218	@@ -1061,7 +1061,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_
		219
		220	if (cp == 0) { /* We were tracing outside collectible */
		221	/* storage. This can't happen. */
		222	- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
		223	+ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
		224	(intptr_t)cptr);
		225	gs_abort(pstate->heap);
		226	}
		227	@@ -1290,7 +1290,7 @@ igc_reloc_struct_ptr(const void /*obj_he
		228
		229	if (cp != 0 && cp->cbase <= (byte )obj && (byte )obj <cp->ctop) {
		230	if (back > (cp->ctop - cp->cbase) >> obj_back_shift) {
		231	- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n",
		232	+ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n",
		233	back, (intptr_t)obj);
		234	gs_abort(NULL);
		235	}
		236	--- a/psi/igcstr.c
		237	+++ b/psi/igcstr.c
		238	@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint si
		239	return false;
		240	#ifdef DEBUG
		241	if (ptr - HDR_ID_OFFSET < cp->ctop) {
		242	- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
		243	+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
		244	(intptr_t)ptr - HDR_ID_OFFSET, size, (intptr_t)cp->ctop, (intptr_t)cp->climit);
		245	return false;
		246	} else if (ptr + size > cp->climit) { /*
		247	@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint si
		248	while (ptr - HDR_ID_OFFSET == scp->climit && scp->outer != 0)
		249	scp = scp->outer;
		250	if (ptr - HDR_ID_OFFSET + size > scp->climit) {
		251	- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
		252	+ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
		253	(intptr_t)ptr - HDR_ID_OFFSET, size,
		254	(intptr_t)scp->ctop, (intptr_t)scp->climit);
		255	return false;
		256	--- a/psi/iinit.c
		257	+++ b/psi/iinit.c
		258	@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p)
		259	if (def->proc != 0) {
		260	code = def->proc(i_ctx_p);
		261	if (code < 0) {
		262	+#ifdef DEBUG
		263	lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n",
		264	(intptr_t)def->proc, code);
		265	+#else
		266	+ lprintf("op_init proc returned error !\n");
		267	+#endif
		268	return code;
		269	}
		270	}
		271	--- a/psi/imainarg.c
		272	+++ b/psi/imainarg.c
		273	@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instanc
		274	if (gs_debug[':'] && !have_dumped_args) {
		275	int i;
		276
		277	- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
		278	+ if (gs_debug_c(gs_debug_flag_init_details))
		279	+ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
		280	(intptr_t)minst);
		281	for (i=1; i<argc; i++)
		282	dmprintf1(minst->heap, "%s ", argv[i]);
		283	--- a/psi/isave.c
		284	+++ b/psi/isave.c
		285	@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *me
		286	else if (r_is_struct(pcont))
		287	cp->offset = (byte ) where - (byte ) pcont->value.pstruct;
		288	else {
		289	- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
		290	+ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
		291	r_type(pcont), (intptr_t) pcont, (intptr_t) where);
		292	gs_abort((const gs_memory_t *)mem);
		293	}
		294	--- a/psi/iutil.c
		295	+++ b/psi/iutil.c
		296	@@ -537,7 +537,11 @@ other:
		297	break;
		298	}
		299	/* Internal operator, no name. */
		300	- gs_sprintf(buf, "@"PRI_INTPTR, (intptr_t) op->value.opproc);
		301	+#ifdef DEBUG
		302	+ gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc);
		303	+#else
		304	+ gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc);
		305	+#endif
		306	break;
		307	}
		308	case t_real:


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-2.patch new file mode 100644 index 0000000000..11f89e0882 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-2.patch
@@ -0,0 +1,29 @@
		1	From d084021e06ba1caa1373fbbcf24a8510f43830ab Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Sat, 27 Jan 2024 09:30:30 +0000
		4	Subject: [PATCH] Coverity IDs 414141 & 414145
		5
		6	These are the same problem reported two different ways. I forgot to
		7	remove the arguments to errprintf when I removed the format specifiers
		8	from the string as part of reviewing the pointer printing.
		9
		10	CVE: CVE-2024-29508
		11	Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a]
		12	Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a
		13	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		14
		15	devices/gdevupd.c \| 3 +--
		16	1 file changed, 1 insertion(+), 2 deletions(-)
		17
		18	--- a/devices/gdevupd.c
		19	+++ b/devices/gdevupd.c
		20	@@ -1043,8 +1043,7 @@ upd_print_page(gx_device_printer *pdev,
		21	errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
		22	(intptr_t)udev,(intptr_t) out);
		23	#else
		24	- errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
		25	- (intptr_t)udev,(intptr_t) out);
		26	+ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n");
		27	#endif
		28	#endif
		29	return_error(gs_error_undefined);


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 525086e2af..969e637f5e 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -54,6 +54,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
54	file://CVE-2024-29511-0002.patch \	54	file://CVE-2024-29511-0002.patch \
55	file://CVE-2024-29509.patch \	55	file://CVE-2024-29509.patch \
56	file://CVE-2024-29506.patch \	56	file://CVE-2024-29506.patch \
		57	file://CVE-2024-29508-1.patch \
		58	file://CVE-2024-29508-2.patch \
57	"	59	"
58		60
59	SRC_URI = "${SRC_URI_BASE} \	61	SRC_URI = "${SRC_URI_BASE} \