ghostscript: Backport fix for multiple CVE's

import patch from ubuntu to fix CVE-2024-46951 CVE-2024-46952 CVE-2024-46953 CVE-2024-46955 CVE-2024-46956 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ada21374f0c90cc3acf7ce0e96302394560c7aee & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1fb76aaddac34530242dfbb9579d9997dae41264 & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ca1fc2aefe9796e321d0589afe7efb35063c8b2a & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ea69a1388245ad959d31c272b5ba66d40cebba2c] (From OE-Core rev: 21a81b592a33504d90f8c53842719cb1fcf96271) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-11-15 08:56:59 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-11-27 06:27:25 -0800
commit: 86be079fa42760ecb9a9652df87b00a8f350098d (patch)
tree: 8815bb73b100fb0d99527f712baf5d5447066050 /meta/recipes-extended
parent: 8e092852b63e998d990b8f8e1aa91297dec4430f (diff)
download: poky-86be079fa42760ecb9a9652df87b00a8f350098d.tar.gz
6 files changed, 255 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46951.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46951.patch
new file mode 100644
index 0000000000..b3481f03a4
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46951.patch
@@ -0,0 +1,31 @@
+From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:16:39 +0100
+Subject: PS interpreter - check the type of the Pattern Implementation
+Bug #707991
+See bug report for details.
+CVE-2024-46951
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46951.patch?h=ubuntu/jammy-security
+Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ada21374f0c90cc3acf7ce0e96302394560c7aee]
+CVE: CVE-2024-46951
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ psi/zcolor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+--- a/psi/zcolor.c
+++ b/psi/zcolor.c
+@@ -5054,6 +5054,9 @@ static int patterncomponent(i_ctx_t * i_
+             code = array_get(imemory, pImpl, 0, &pPatInst);
+             if (code < 0)
+                 return code;
+
+            if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+                return_error(gs_error_typecheck);
+             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
+             if (pattern_instance_uses_base_space(cc.pattern))
+                 *n = n_comps;
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46952.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46952.patch
new file mode 100644
index 0000000000..8b495a6f99
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46952.patch
@@ -0,0 +1,62 @@
+From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Mon, 2 Sep 2024 15:14:01 +0100
+Subject: PDF interpreter - sanitise W array values in Xref streams
+Bug #708001 "Buffer overflow in PDF XRef stream"
+See bug report. I've chosen to fix this by checking the values in the
+W array; these can (currently at least) only have certain relatively
+small values.
+As a future proofing fix I've also updated field_size in
+pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger
+than required, but matches the W array values and so prevents the
+mismatch which could lead to a buffer overrun.
+CVE-2024-46952
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46952.patch?h=ubuntu/jammy-security
+Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1fb76aaddac34530242dfbb9579d9997dae41264]
+CVE: CVE-2024-46952
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pdf/pdf_xref.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
+@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx,
+ static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W)
+ {
+     uint i, j;
+-    uint field_width = 0;
+    uint64_t field_width = 0;
+     uint32_t type = 0;
+     uint64_t objnum = 0, gen = 0;
+     byte *Buffer;
+@@ -292,6 +292,24 @@ static int pdfi_process_xref_stream(pdf_
+     }
+     pdfi_countdown(a);
+ 
+    /* W[0] is either:
+     * 0 (no type field) or a single byte with the type.
+     * W[1] is either:
+     * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored.
+     * W[2] is either:
+     * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream.
+     *
+     * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually
+     * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number.
+     * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits.
+     */
+    if (W[0] > 1 || W[1] > 8 || W[2] > 8) {
+        pdfi_close_file(ctx, XRefStrm);
+        pdfi_countdown(ctx->xref_table);
+        ctx->xref_table = NULL;
+        return code;
+    }
+
+     code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a);
+     if (code == gs_error_undefined) {
+         code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W);
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46953.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46953.patch
new file mode 100644
index 0000000000..0e36838907
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46953.patch
@@ -0,0 +1,67 @@
+From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 27 May 2024 13:38:36 +0100
+Subject: Bug 707793: Check for overflow validating format string
+for the output file name
+CVE-2024-46953
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46953.patch?h=ubuntu/jammy-security
+Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a]
+CVE: CVE-2024-46953
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gsdevice.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+--- a/base/gsdevice.c
+++ b/base/gsdevice.c
+@@ -1069,7 +1069,7 @@ static int
+ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+ {
+     bool have_format = false, field;
+-    int width[2], int_width = sizeof(int) * 3, w = 0;
+    uint width[2], int_width = sizeof(int) * 3, w = 0;
+     uint i;
+ 
+     /* Scan the file name for a format string, and validate it if present. */
+@@ -1098,6 +1098,8 @@ gx_parse_output_format(gs_parsed_file_na
+                         default: /* width (field = 0) and precision (field = 1) */
+                             if (strchr("0123456789", pfn->fname[i])) {
+                                 width[field] = width[field] * 10 + pfn->fname[i] - '0';
+                                if (width[field] > max_int)
+                                       return_error(gs_error_undefinedfilename);
+                                 continue;
+                             } else if (0 == field && '.' == pfn->fname[i]) {
+                                 field++;
+@@ -1126,8 +1128,10 @@ gx_parse_output_format(gs_parsed_file_na
+         /* Calculate a conservative maximum width. */
+         w = max(width[0], width[1]);
+         w = max(w, int_width) + 5;
+        if (w > max_int)
+            return_error(gs_error_undefinedfilename);
+     }
+-    return w;
+    return (int)w;
+ }
+ 
+ /*
+@@ -1180,10 +1184,15 @@ gx_parse_output_file_name(gs_parsed_file
+     if (!pfn->fname)
+         return 0;
+     code = gx_parse_output_format(pfn, pfmt);
+-    if (code < 0)
+    if (code < 0) {
+         return code;
+-    if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
+    }
+
+    if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
+        code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
+         return_error(gs_error_undefinedfilename);
+    }
+
+     return 0;
+ }
+ 
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46955.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46955.patch
new file mode 100644
index 0000000000..9186412a48
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46955.patch
@@ -0,0 +1,60 @@
+From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:11:53 +0100
+Subject: PS interpreter - check Indexed colour space index
+Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
+Check the 'index' is in the valid range (0 to hival) for the colour
+space.
+Also a couple of additional checks on the type of the 'proc' for
+Indexed, DeviceN and Separation spaces. Make sure these really are
+procs in case the user changed the colour space array.
+CVE-2024-46955
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46955.patch?h=ubuntu/jammy-security
+Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ca1fc2aefe9796e321d0589afe7efb35063c8b2a]
+CVE: CVE-2024-46955
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ psi/zcolor.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+--- a/psi/zcolor.c
+++ b/psi/zcolor.c
+@@ -3628,6 +3628,7 @@ static int septransform(i_ctx_t *i_ctx_p
+         code = array_get(imemory, sepspace, 3, &proc);
+         if (code < 0)
+             return code;
+        check_proc(proc);
+         *esp = proc;
+         return o_push_estack;
+     }
+@@ -4449,6 +4450,7 @@ static int devicentransform(i_ctx_t *i_c
+         code = array_get(imemory, devicenspace, 3, &proc);
+         if (code < 0)
+             return code;
+        check_proc(proc);
+         *esp = proc;
+         return o_push_estack;
+     }
+@@ -4864,6 +4866,7 @@ static int indexedbasecolor(i_ctx_t * i_
+             code = array_get(imemory, space, 3, &proc);
+             if (code < 0)
+                 return code;
+            check_proc(proc);
+             *ep = proc;        /* lookup proc */
+             return o_push_estack;
+         } else {
+@@ -4877,6 +4880,9 @@ static int indexedbasecolor(i_ctx_t * i_
+             if (!r_has_type(op, t_integer))
+                 return_error (gs_error_typecheck);
+             index = op->value.intval;
+            /* Ensure it is in range. See bug #707990 */
+            if (index < 0 || index > pcs->params.indexed.hival)
+                return_error(gs_error_rangecheck);
+             /* And remove it from the stack. */
+             ref_stack_pop(&o_stack, 1);
+             op = osp;
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46956.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46956.patch
new file mode 100644
index 0000000000..77cf8a7da0
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46956.patch
@@ -0,0 +1,30 @@
+From ea69a1388245ad959d31c272b5ba66d40cebba2c Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Tue, 23 Jul 2024 11:48:39 +0100
+Subject: PostScript interpreter - fix buffer length check
+Bug 707895
+See bug report for details.
+CVE-2024-46956
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46956.patch?h=ubuntu/jammy-security
+Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ea69a1388245ad959d31c272b5ba66d40cebba2c]
+CVE: CVE-2024-46956
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ psi/zfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+--- a/psi/zfile.c
+++ b/psi/zfile.c
+@@ -440,7 +440,7 @@ file_continue(i_ctx_t *i_ctx_p)
+         if (code == ~(uint) 0) {    /* all done */
+             esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
+             return o_pop_estack;
+-        } else if (code > len) {      /* overran string */
+        } else if (code > len - devlen) {      /* overran string */
+             return_error(gs_error_rangecheck);
+         }
+         else if (iodev != iodev_default(imemory)
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 9f368a291f..cd0a7de70e 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -57,6 +57,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2024-29508-1.patch \
                file://CVE-2024-29508-2.patch \
                file://CVE-2023-46361.patch \
+                file://CVE-2024-46951.patch \
+                file://CVE-2024-46952.patch \
+                file://CVE-2024-46953.patch \
+                file://CVE-2024-46955.patch \
+                file://CVE-2024-46956.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Vijay Anusuri <vanusuri@mvista.com>	2024-11-15 08:56:59 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-11-27 06:27:25 -0800
commit	86be079fa42760ecb9a9652df87b00a8f350098d (patch)
tree	8815bb73b100fb0d99527f712baf5d5447066050 /meta/recipes-extended
parent	8e092852b63e998d990b8f8e1aa91297dec4430f (diff)
download	poky-86be079fa42760ecb9a9652df87b00a8f350098d.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46951.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46951.patch new file mode 100644 index 0000000000..b3481f03a4 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46951.patch
@@ -0,0 +1,31 @@
		1	From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
		2	From: Zdenek Hutyra <zhutyra@centrum.cz>
		3	Date: Fri, 30 Aug 2024 13:16:39 +0100
		4	Subject: PS interpreter - check the type of the Pattern Implementation
		5
		6	Bug #707991
		7
		8	See bug report for details.
		9
		10	CVE-2024-46951
		11
		12	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46951.patch?h=ubuntu/jammy-security
		13	Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ada21374f0c90cc3acf7ce0e96302394560c7aee]
		14	CVE: CVE-2024-46951
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	psi/zcolor.c \| 3 +++
		18	1 file changed, 3 insertions(+)
		19
		20	--- a/psi/zcolor.c
		21	+++ b/psi/zcolor.c
		22	@@ -5054,6 +5054,9 @@ static int patterncomponent(i_ctx_t * i_
		23	code = array_get(imemory, pImpl, 0, &pPatInst);
		24	if (code < 0)
		25	return code;
		26	+
		27	+ if (!r_is_struct(&pPatInst) \|\| (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
		28	+ return_error(gs_error_typecheck);
		29	cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
		30	if (pattern_instance_uses_base_space(cc.pattern))
		31	*n = n_comps;


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46952.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46952.patch new file mode 100644 index 0000000000..8b495a6f99 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46952.patch
@@ -0,0 +1,62 @@
		1	From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Mon, 2 Sep 2024 15:14:01 +0100
		4	Subject: PDF interpreter - sanitise W array values in Xref streams
		5
		6	Bug #708001 "Buffer overflow in PDF XRef stream"
		7
		8	See bug report. I've chosen to fix this by checking the values in the
		9	W array; these can (currently at least) only have certain relatively
		10	small values.
		11
		12	As a future proofing fix I've also updated field_size in
		13	pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger
		14	than required, but matches the W array values and so prevents the
		15	mismatch which could lead to a buffer overrun.
		16
		17	CVE-2024-46952
		18
		19	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46952.patch?h=ubuntu/jammy-security
		20	Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1fb76aaddac34530242dfbb9579d9997dae41264]
		21	CVE: CVE-2024-46952
		22	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		23	---
		24	pdf/pdf_xref.c \| 20 +++++++++++++++++++-
		25	1 file changed, 19 insertions(+), 1 deletion(-)
		26
		27	--- a/pdf/pdf_xref.c
		28	+++ b/pdf/pdf_xref.c
		29	@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx,
		30	static int read_xref_stream_entries(pdf_context ctx, pdf_c_stream s, uint64_t first, uint64_t last, uint64_t *W)
		31	{
		32	uint i, j;
		33	- uint field_width = 0;
		34	+ uint64_t field_width = 0;
		35	uint32_t type = 0;
		36	uint64_t objnum = 0, gen = 0;
		37	byte *Buffer;
		38	@@ -292,6 +292,24 @@ static int pdfi_process_xref_stream(pdf_
		39	}
		40	pdfi_countdown(a);
		41
		42	+ /* W[0] is either:
		43	+ * 0 (no type field) or a single byte with the type.
		44	+ * W[1] is either:
		45	+ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored.
		46	+ * W[2] is either:
		47	+ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream.
		48	+ *
		49	+ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually
		50	+ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number.
		51	+ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits.
		52	+ */
		53	+ if (W[0] > 1 \|\| W[1] > 8 \|\| W[2] > 8) {
		54	+ pdfi_close_file(ctx, XRefStrm);
		55	+ pdfi_countdown(ctx->xref_table);
		56	+ ctx->xref_table = NULL;
		57	+ return code;
		58	+ }
		59	+
		60	code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a);
		61	if (code == gs_error_undefined) {
		62	code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W);


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46953.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46953.patch new file mode 100644 index 0000000000..0e36838907 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46953.patch
@@ -0,0 +1,67 @@
		1	From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001
		2	From: Zdenek Hutyra <zhutyra@centrum.cz>
		3	Date: Mon, 27 May 2024 13:38:36 +0100
		4	Subject: Bug 707793: Check for overflow validating format string
		5
		6	for the output file name
		7
		8	CVE-2024-46953
		9
		10	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46953.patch?h=ubuntu/jammy-security
		11	Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a]
		12	CVE: CVE-2024-46953
		13	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		14	---
		15	base/gsdevice.c \| 17 +++++++++++++----
		16	1 file changed, 13 insertions(+), 4 deletions(-)
		17
		18	--- a/base/gsdevice.c
		19	+++ b/base/gsdevice.c
		20	@@ -1069,7 +1069,7 @@ static int
		21	gx_parse_output_format(gs_parsed_file_name_t pfn, const char *pfmt)
		22	{
		23	bool have_format = false, field;
		24	- int width[2], int_width = sizeof(int) * 3, w = 0;
		25	+ uint width[2], int_width = sizeof(int) * 3, w = 0;
		26	uint i;
		27
		28	/* Scan the file name for a format string, and validate it if present. */
		29	@@ -1098,6 +1098,8 @@ gx_parse_output_format(gs_parsed_file_na
		30	default: /* width (field = 0) and precision (field = 1) */
		31	if (strchr("0123456789", pfn->fname[i])) {
		32	width[field] = width[field] * 10 + pfn->fname[i] - '0';
		33	+ if (width[field] > max_int)
		34	+ return_error(gs_error_undefinedfilename);
		35	continue;
		36	} else if (0 == field && '.' == pfn->fname[i]) {
		37	field++;
		38	@@ -1126,8 +1128,10 @@ gx_parse_output_format(gs_parsed_file_na
		39	/* Calculate a conservative maximum width. */
		40	w = max(width[0], width[1]);
		41	w = max(w, int_width) + 5;
		42	+ if (w > max_int)
		43	+ return_error(gs_error_undefinedfilename);
		44	}
		45	- return w;
		46	+ return (int)w;
		47	}
		48
		49	/*
		50	@@ -1180,10 +1184,15 @@ gx_parse_output_file_name(gs_parsed_file
		51	if (!pfn->fname)
		52	return 0;
		53	code = gx_parse_output_format(pfn, pfmt);
		54	- if (code < 0)
		55	+ if (code < 0) {
		56	return code;
		57	- if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
		58	+ }
		59	+
		60	+ if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) \|\|
		61	+ code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
		62	return_error(gs_error_undefinedfilename);
		63	+ }
		64	+
		65	return 0;
		66	}
		67


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46955.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46955.patch new file mode 100644 index 0000000000..9186412a48 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46955.patch
@@ -0,0 +1,60 @@
		1	From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
		2	From: Zdenek Hutyra <zhutyra@centrum.cz>
		3	Date: Fri, 30 Aug 2024 13:11:53 +0100
		4	Subject: PS interpreter - check Indexed colour space index
		5
		6	Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
		7
		8	Check the 'index' is in the valid range (0 to hival) for the colour
		9	space.
		10
		11	Also a couple of additional checks on the type of the 'proc' for
		12	Indexed, DeviceN and Separation spaces. Make sure these really are
		13	procs in case the user changed the colour space array.
		14
		15	CVE-2024-46955
		16
		17	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46955.patch?h=ubuntu/jammy-security
		18	Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ca1fc2aefe9796e321d0589afe7efb35063c8b2a]
		19	CVE: CVE-2024-46955
		20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		21	---
		22	psi/zcolor.c \| 6 ++++++
		23	1 file changed, 6 insertions(+)
		24
		25	--- a/psi/zcolor.c
		26	+++ b/psi/zcolor.c
		27	@@ -3628,6 +3628,7 @@ static int septransform(i_ctx_t *i_ctx_p
		28	code = array_get(imemory, sepspace, 3, &proc);
		29	if (code < 0)
		30	return code;
		31	+ check_proc(proc);
		32	*esp = proc;
		33	return o_push_estack;
		34	}
		35	@@ -4449,6 +4450,7 @@ static int devicentransform(i_ctx_t *i_c
		36	code = array_get(imemory, devicenspace, 3, &proc);
		37	if (code < 0)
		38	return code;
		39	+ check_proc(proc);
		40	*esp = proc;
		41	return o_push_estack;
		42	}
		43	@@ -4864,6 +4866,7 @@ static int indexedbasecolor(i_ctx_t * i_
		44	code = array_get(imemory, space, 3, &proc);
		45	if (code < 0)
		46	return code;
		47	+ check_proc(proc);
		48	ep = proc; / lookup proc */
		49	return o_push_estack;
		50	} else {
		51	@@ -4877,6 +4880,9 @@ static int indexedbasecolor(i_ctx_t * i_
		52	if (!r_has_type(op, t_integer))
		53	return_error (gs_error_typecheck);
		54	index = op->value.intval;
		55	+ /* Ensure it is in range. See bug #707990 */
		56	+ if (index < 0 \|\| index > pcs->params.indexed.hival)
		57	+ return_error(gs_error_rangecheck);
		58	/* And remove it from the stack. */
		59	ref_stack_pop(&o_stack, 1);
		60	op = osp;


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46956.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46956.patch new file mode 100644 index 0000000000..77cf8a7da0 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46956.patch
@@ -0,0 +1,30 @@
		1	From ea69a1388245ad959d31c272b5ba66d40cebba2c Mon Sep 17 00:00:00 2001
		2	From: Zdenek Hutyra <zhutyra@centrum.cz>
		3	Date: Tue, 23 Jul 2024 11:48:39 +0100
		4	Subject: PostScript interpreter - fix buffer length check
		5
		6	Bug 707895
		7
		8	See bug report for details.
		9
		10	CVE-2024-46956
		11
		12	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46956.patch?h=ubuntu/jammy-security
		13	Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ea69a1388245ad959d31c272b5ba66d40cebba2c]
		14	CVE: CVE-2024-46956
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	psi/zfile.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	--- a/psi/zfile.c
		21	+++ b/psi/zfile.c
		22	@@ -440,7 +440,7 @@ file_continue(i_ctx_t *i_ctx_p)
		23	if (code == ~(uint) 0) { /* all done */
		24	esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
		25	return o_pop_estack;
		26	- } else if (code > len) { /* overran string */
		27	+ } else if (code > len - devlen) { /* overran string */
		28	return_error(gs_error_rangecheck);
		29	}
		30	else if (iodev != iodev_default(imemory)


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 9f368a291f..cd0a7de70e 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -57,6 +57,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
57	file://CVE-2024-29508-1.patch \	57	file://CVE-2024-29508-1.patch \
58	file://CVE-2024-29508-2.patch \	58	file://CVE-2024-29508-2.patch \
59	file://CVE-2023-46361.patch \	59	file://CVE-2023-46361.patch \
		60	file://CVE-2024-46951.patch \
		61	file://CVE-2024-46952.patch \
		62	file://CVE-2024-46953.patch \
		63	file://CVE-2024-46955.patch \
		64	file://CVE-2024-46956.patch \
60	"	65	"
61		66
62	SRC_URI = "${SRC_URI_BASE} \	67	SRC_URI = "${SRC_URI_BASE} \