ghostscript: fix CVE-2024-29510

(From OE-Core rev: 202b2b0a5c447baf7d84c19b7829a81a846413d9) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-05-29 05:42:25 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-06-05 05:57:12 -0700
commit: 96b48c195a60ef6de2a43a66a8fa61b6a4baff10 (patch)
tree: 0c5e77142f521d6781967e153f0355e8a116ceaf /meta/recipes-extended
parent: 0c079e62fbfa8f1b3ac436b62d4234698f4fab97 (diff)
download: poky-96b48c195a60ef6de2a43a66a8fa61b6a4baff10.tar.gz
2 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
new file mode 100644
index 0000000000..692d35157f
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
@@ -0,0 +1,84 @@
+From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 21 Mar 2024 09:01:15 +0000
+Subject: [PATCH 5/5] Uniprint device - prevent string configuration changes
+ when SAFER
+Bug #707662
+We cannot sanitise the string arguments used by the Uniprint device
+because they can potentially include anything.
+This commit ensures that these strings are locked and cannot be
+changed by PostScript once SAFER is activated. Full configuration from
+the command line is still possible (see the *.upp files in lib).
+This addresses CVE-2024-29510
+CVE: CVE-2024-29510
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+diff --git a/devices/gdevupd.c b/devices/gdevupd.c
+index 740dae0..a50571a 100644
+--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
+@@ -1887,6 +1887,16 @@ out on this copies.
+       if(!upd_strings[i]) continue;
+       UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
+       if(0 == code) {
+        if (gs_is_path_control_active(udev->memory)) {
+            if (strings[i].size != value.size)
+              error = gs_error_invalidaccess;
+            else {
+                if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+                    error = gs_error_invalidaccess;
+            }
+            if (error < 0)
+                goto exit;
+        }
+          if(0 <= error) error |= UPD_PUT_STRINGS;
+          UPD_MM_DEL_PARAM(udev->memory, strings[i]);
+          if(!value.size) {
+@@ -1904,6 +1914,26 @@ out on this copies.
+       if(!upd_string_a[i]) continue;
+       UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
+       if(0 == code) {
+          if (gs_is_path_control_active(udev->memory)) {
+              if (string_a[i].size != value.size)
+                  error = gs_error_invalidaccess;
+              else {
+                  int loop;
+                  for (loop = 0;loop < string_a[i].size;loop++) {
+                      gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+                      gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+                      if (tmp1->size != tmp2->size)
+                          error = gs_error_invalidaccess;
+                      else {
+                          if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+                              error = gs_error_invalidaccess;
+                      }
+                  }
+              }
+            if (error < 0)
+                goto exit;
+          }
+          if(0 <= error) error |= UPD_PUT_STRING_A;
+          UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
+          if(!value.size) {
+@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
+       if(0 > code) error = code;
+    }
+exit:
+    if(0 < error) { /* Actually something loaded without error */
+       if(!(upd = udev->upd)) {
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
index 8bda4404cc..db9481816a 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
           file://CVE-2024-33869-0001.patch \
           file://CVE-2024-33869-0002.patch \
           file://CVE-2024-33871.patch \
+           file://CVE-2024-29510.patch \
           "
 SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-05-29 05:42:25 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-06-05 05:57:12 -0700
commit	96b48c195a60ef6de2a43a66a8fa61b6a4baff10 (patch)
tree	0c5e77142f521d6781967e153f0355e8a116ceaf /meta/recipes-extended
parent	0c079e62fbfa8f1b3ac436b62d4234698f4fab97 (diff)
download	poky-96b48c195a60ef6de2a43a66a8fa61b6a4baff10.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch new file mode 100644 index 0000000000..692d35157f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
@@ -0,0 +1,84 @@
		1	From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Thu, 21 Mar 2024 09:01:15 +0000
		4	Subject: [PATCH 5/5] Uniprint device - prevent string configuration changes
		5	when SAFER
		6
		7	Bug #707662
		8
		9	We cannot sanitise the string arguments used by the Uniprint device
		10	because they can potentially include anything.
		11
		12	This commit ensures that these strings are locked and cannot be
		13	changed by PostScript once SAFER is activated. Full configuration from
		14	the command line is still possible (see the *.upp files in lib).
		15
		16	This addresses CVE-2024-29510
		17
		18	CVE: CVE-2024-29510
		19
		20	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
		21
		22	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		23	---
		24	devices/gdevupd.c \| 31 +++++++++++++++++++++++++++++++
		25	1 file changed, 31 insertions(+)
		26
		27	diff --git a/devices/gdevupd.c b/devices/gdevupd.c
		28	index 740dae0..a50571a 100644
		29	--- a/devices/gdevupd.c
		30	+++ b/devices/gdevupd.c
		31	@@ -1887,6 +1887,16 @@ out on this copies.
		32	if(!upd_strings[i]) continue;
		33	UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
		34	if(0 == code) {
		35	+ if (gs_is_path_control_active(udev->memory)) {
		36	+ if (strings[i].size != value.size)
		37	+ error = gs_error_invalidaccess;
		38	+ else {
		39	+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
		40	+ error = gs_error_invalidaccess;
		41	+ }
		42	+ if (error < 0)
		43	+ goto exit;
		44	+ }
		45	if(0 <= error) error \|= UPD_PUT_STRINGS;
		46	UPD_MM_DEL_PARAM(udev->memory, strings[i]);
		47	if(!value.size) {
		48	@@ -1904,6 +1914,26 @@ out on this copies.
		49	if(!upd_string_a[i]) continue;
		50	UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
		51	if(0 == code) {
		52	+ if (gs_is_path_control_active(udev->memory)) {
		53	+ if (string_a[i].size != value.size)
		54	+ error = gs_error_invalidaccess;
		55	+ else {
		56	+ int loop;
		57	+ for (loop = 0;loop < string_a[i].size;loop++) {
		58	+ gs_param_string tmp1 = (gs_param_string )&(string_a[i].data[loop]);
		59	+ gs_param_string tmp2 = (gs_param_string )&value.data[loop];
		60	+
		61	+ if (tmp1->size != tmp2->size)
		62	+ error = gs_error_invalidaccess;
		63	+ else {
		64	+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
		65	+ error = gs_error_invalidaccess;
		66	+ }
		67	+ }
		68	+ }
		69	+ if (error < 0)
		70	+ goto exit;
		71	+ }
		72	if(0 <= error) error \|= UPD_PUT_STRING_A;
		73	UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
		74	if(!value.size) {
		75	@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
		76	if(0 > code) error = code;
		77	}
		78
		79	+exit:
		80	if(0 < error) { /* Actually something loaded without error */
		81
		82	if(!(upd = udev->upd)) {
		83	--
		84	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb index 8bda4404cc..db9481816a 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
30	file://CVE-2024-33869-0001.patch \	30	file://CVE-2024-33869-0001.patch \
31	file://CVE-2024-33869-0002.patch \	31	file://CVE-2024-33869-0002.patch \
32	file://CVE-2024-33871.patch \	32	file://CVE-2024-33871.patch \
		33	file://CVE-2024-29510.patch \
33	"	34	"
34		35
35	SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"	36	SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"