ghostscript: fix CVE-2024-33870

(From OE-Core rev: 9f0c63b568312da93daeb31eeb2874b98d1e3eea) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-05-29 05:41:16 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-06-01 19:07:52 -0700
commit: f60be736e6952838cd4fcb5c7aa9eed13d27305e (patch)
tree: b67f142c8403c99b8d798765075080a7f2bc7493
parent: db3cb6f1138d1765fb64d2415083c8503f318a5f (diff)
download: poky-f60be736e6952838cd4fcb5c7aa9eed13d27305e.tar.gz
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
new file mode 100644
index 0000000000..0d289b6d07
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
@@ -0,0 +1,92 @@
+From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 26 Mar 2024 12:00:14 +0000
+Subject: [PATCH 1/5] Bug #707686
+See bug thread for details
+In addition to the noted bug; an error path (return from
+gp_file_name_reduce not successful) could elad to a memory leak as we
+did not free 'bufferfull'. Fix that too.
+This addresses CVE-2024-33870
+CVE: CVE-2024-33870
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gpmisc.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index f9a9230..3b6fffa 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+                      const uint         len,
+                      const char        *mode)
+ {
+-    char *buffer, *bufferfull;
+    char *buffer, *bufferfull = NULL;
+     uint rlen;
+     int code = 0;
+     const char *cdirstr = gp_file_name_current();
+@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem,
+             return gs_error_VMerror;
+         buffer = bufferfull + prefix_len;
+-        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-            return gs_error_invalidfileaccess;
+       if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
+           code = gs_note_error(gs_error_invalidfileaccess);
+            goto exit;
+        }
+         buffer[rlen] = 0;
+     }
+     while (1) {
+@@ -1131,9 +1133,33 @@ gp_validate_path_len(const gs_memory_t *mem,
+             code = gs_note_error(gs_error_invalidfileaccess);
+         }
+         if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
+            uint newlen = rlen + cdirstrl + dirsepstrl;
+            char *newbuffer;
+            int code;
+
+             buffer = bufferfull;
+             memcpy(buffer, cdirstr, cdirstrl);
+             memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
+           /* We've prepended a './' or similar for the current working directory. We need
+             * to execute file_name_reduce on that, to eliminate any '../' or similar from
+             * the (new) full path.
+             */
+            newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
+            if (newbuffer == NULL) {
+                code = gs_note_error(gs_error_VMerror);
+                goto exit;
+            }
+
+            memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
+            newbuffer[newlen] = 0x00;
+
+            code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
+            gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
+            if (code != gp_combine_success) {
+                code = gs_note_error(gs_error_invalidfileaccess);
+                goto exit;
+            }
+
+             continue;
+         }
+         else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
+@@ -1152,6 +1178,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+                                            gs_path_control_flag_is_scratch_file);
+     }
+exit:
+     gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
+ #ifdef EACCES
+     if (code == gs_error_invalidfileaccess)
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index e99c740685..5fa4da0fb8 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -43,6 +43,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2023-38559.patch \
                file://CVE-2023-43115.patch \
                file://CVE-2023-46751.patch \
+                file://CVE-2024-33870.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-05-29 05:41:16 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-06-01 19:07:52 -0700
commit	f60be736e6952838cd4fcb5c7aa9eed13d27305e (patch)
tree	b67f142c8403c99b8d798765075080a7f2bc7493
parent	db3cb6f1138d1765fb64d2415083c8503f318a5f (diff)
download	poky-f60be736e6952838cd4fcb5c7aa9eed13d27305e.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch new file mode 100644 index 0000000000..0d289b6d07 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
@@ -0,0 +1,92 @@
		1	From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Tue, 26 Mar 2024 12:00:14 +0000
		4	Subject: [PATCH 1/5] Bug #707686
		5
		6	See bug thread for details
		7
		8	In addition to the noted bug; an error path (return from
		9	gp_file_name_reduce not successful) could elad to a memory leak as we
		10	did not free 'bufferfull'. Fix that too.
		11
		12	This addresses CVE-2024-33870
		13
		14	CVE: CVE-2024-33870
		15
		16	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc]
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	base/gpmisc.c \| 33 ++++++++++++++++++++++++++++++---
		21	1 file changed, 30 insertions(+), 3 deletions(-)
		22
		23	diff --git a/base/gpmisc.c b/base/gpmisc.c
		24	index f9a9230..3b6fffa 100644
		25	--- a/base/gpmisc.c
		26	+++ b/base/gpmisc.c
		27	@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
		28	const uint len,
		29	const char *mode)
		30	{
		31	- char buffer, bufferfull;
		32	+ char buffer, bufferfull = NULL;
		33	uint rlen;
		34	int code = 0;
		35	const char *cdirstr = gp_file_name_current();
		36	@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem,
		37	return gs_error_VMerror;
		38
		39	buffer = bufferfull + prefix_len;
		40	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		41	- return gs_error_invalidfileaccess;
		42	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
		43	+ code = gs_note_error(gs_error_invalidfileaccess);
		44	+ goto exit;
		45	+ }
		46	buffer[rlen] = 0;
		47	}
		48	while (1) {
		49	@@ -1131,9 +1133,33 @@ gp_validate_path_len(const gs_memory_t *mem,
		50	code = gs_note_error(gs_error_invalidfileaccess);
		51	}
		52	if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
		53	+ uint newlen = rlen + cdirstrl + dirsepstrl;
		54	+ char *newbuffer;
		55	+ int code;
		56	+
		57	buffer = bufferfull;
		58	memcpy(buffer, cdirstr, cdirstrl);
		59	memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
		60	+ /* We've prepended a './' or similar for the current working directory. We need
		61	+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
		62	+ * the (new) full path.
		63	+ */
		64	+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
		65	+ if (newbuffer == NULL) {
		66	+ code = gs_note_error(gs_error_VMerror);
		67	+ goto exit;
		68	+ }
		69	+
		70	+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
		71	+ newbuffer[newlen] = 0x00;
		72	+
		73	+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
		74	+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
		75	+ if (code != gp_combine_success) {
		76	+ code = gs_note_error(gs_error_invalidfileaccess);
		77	+ goto exit;
		78	+ }
		79	+
		80	continue;
		81	}
		82	else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
		83	@@ -1152,6 +1178,7 @@ gp_validate_path_len(const gs_memory_t *mem,
		84	gs_path_control_flag_is_scratch_file);
		85	}
		86
		87	+exit:
		88	gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
		89	#ifdef EACCES
		90	if (code == gs_error_invalidfileaccess)
		91	--
		92	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index e99c740685..5fa4da0fb8 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -43,6 +43,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
43	file://CVE-2023-38559.patch \	43	file://CVE-2023-38559.patch \
44	file://CVE-2023-43115.patch \	44	file://CVE-2023-43115.patch \
45	file://CVE-2023-46751.patch \	45	file://CVE-2023-46751.patch \
		46	file://CVE-2024-33870.patch \
46	"	47	"
47		48
48	SRC_URI = "${SRC_URI_BASE} \	49	SRC_URI = "${SRC_URI_BASE} \