ghostscript: patch CVE-2025-59799

Pick commit mentioned in the NVD report. (From OE-Core rev: 10a51275bb0f62b018a6182953352ecf7aa3d220) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-10-08 00:11:41 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-10-14 07:20:35 -0700
commit: 093e91d1906c468497835c9f2e6925ae87f6601d (patch)
tree: 9805c4f11ec4b81745b1e7f02ea6d9313a7e8288 /meta/recipes-extended
parent: 0163ca382a7a7dcf56d8dda8f1a66d23e9b0bee3 (diff)
download: poky-093e91d1906c468497835c9f2e6925ae87f6601d.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
new file mode 100644
index 0000000000..3badd82f22
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
@@ -0,0 +1,41 @@
+From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001
+From: Piotr Kajda <petermasterperfect@gmail.com>
+Date: Thu, 8 May 2025 11:37:09 +0100
+Subject: [PATCH] pdfwrite - bounds check some strings
+Bug #708517
+This differs very slightly from the proposed patch in the bug report, I
+had a quick scout through the C file and found another similar case.
+Both fixed here.
+CVE: CVE-2025-59799
+Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/6dab38fb211f15226c242ab7a83fa53e4b0ff781]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ devices/vector/gdevpdfm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c
+index 5aa3644e2..4b1d7d89c 100644
+--- a/devices/vector/gdevpdfm.c
+++ b/devices/vector/gdevpdfm.c
+@@ -199,6 +199,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING])
+ {
+     const byte *data = dstr->data;
+     uint size = dstr->size;
+    if (size > MAX_DEST_STRING)
+        return_error(gs_error_limitcheck);
+     if (size == 0 || data[0] != '(')
+         return 0;
+     /****** HANDLE ESCAPES ******/
+@@ -848,6 +850,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd,
+             char buf[30];
+             int d0, d1;
+ 
+            if (Action[1].size > 29)
+                return_error(gs_error_rangecheck);
+             memcpy(buf, Action[1].data, Action[1].size);
+             buf[Action[1].size] = 0;
+             if (sscanf(buf, "%d %d R", &d0, &d1) == 2)
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index c9fcaa7a16..349c007e94 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -77,6 +77,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2025-27836-2.patch \
                file://CVE-2025-48708.patch \
                file://CVE-2025-59798.patch \
+                file://CVE-2025-59799.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Peter Marko <peter.marko@siemens.com>	2025-10-08 00:11:41 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-10-14 07:20:35 -0700
commit	093e91d1906c468497835c9f2e6925ae87f6601d (patch)
tree	9805c4f11ec4b81745b1e7f02ea6d9313a7e8288 /meta/recipes-extended
parent	0163ca382a7a7dcf56d8dda8f1a66d23e9b0bee3 (diff)
download	poky-093e91d1906c468497835c9f2e6925ae87f6601d.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch new file mode 100644 index 0000000000..3badd82f22 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
@@ -0,0 +1,41 @@
		1	From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001
		2	From: Piotr Kajda <petermasterperfect@gmail.com>
		3	Date: Thu, 8 May 2025 11:37:09 +0100
		4	Subject: [PATCH] pdfwrite - bounds check some strings
		5
		6	Bug #708517
		7
		8	This differs very slightly from the proposed patch in the bug report, I
		9	had a quick scout through the C file and found another similar case.
		10
		11	Both fixed here.
		12
		13	CVE: CVE-2025-59799
		14	Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/6dab38fb211f15226c242ab7a83fa53e4b0ff781]
		15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		16	---
		17	devices/vector/gdevpdfm.c \| 4 ++++
		18	1 file changed, 4 insertions(+)
		19
		20	diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c
		21	index 5aa3644e2..4b1d7d89c 100644
		22	--- a/devices/vector/gdevpdfm.c
		23	+++ b/devices/vector/gdevpdfm.c
		24	@@ -199,6 +199,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING])
		25	{
		26	const byte *data = dstr->data;
		27	uint size = dstr->size;
		28	+ if (size > MAX_DEST_STRING)
		29	+ return_error(gs_error_limitcheck);
		30	if (size == 0 \|\| data[0] != '(')
		31	return 0;
		32	/**** HANDLE ESCAPES ****/
		33	@@ -848,6 +850,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd,
		34	char buf[30];
		35	int d0, d1;
		36
		37	+ if (Action[1].size > 29)
		38	+ return_error(gs_error_rangecheck);
		39	memcpy(buf, Action[1].data, Action[1].size);
		40	buf[Action[1].size] = 0;
		41	if (sscanf(buf, "%d %d R", &d0, &d1) == 2)


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index c9fcaa7a16..349c007e94 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -77,6 +77,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
77	file://CVE-2025-27836-2.patch \	77	file://CVE-2025-27836-2.patch \
78	file://CVE-2025-48708.patch \	78	file://CVE-2025-48708.patch \
79	file://CVE-2025-59798.patch \	79	file://CVE-2025-59798.patch \
		80	file://CVE-2025-59799.patch \
80	"	81	"
81		82
82	SRC_URI = "${SRC_URI_BASE} \	83	SRC_URI = "${SRC_URI_BASE} \