ghostscript: fix CVE-2023-46361

Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulnerability via jbig2_error at /jbig2dec/jbig2.c. (From OE-Core rev: 3e9018fb14466495be7472a8620918347c732e86) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-11-08 13:09:12 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-11-15 06:05:32 -0800
commit: a84e68cd5d6a690c3afe76cab789f3e0878db7a2 (patch)
tree: 29dd70f95fd882c85a38c2c788dfd865d3d62769 /meta/recipes-extended
parent: 3aaed26728b2d8bcb66db94792fc080a37e2d9d3 (diff)
download: poky-a84e68cd5d6a690c3afe76cab789f3e0878db7a2.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch
new file mode 100644
index 0000000000..d91a94e9d0
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch
@@ -0,0 +1,32 @@
+From 44ca5b9d023e1de33fcb8984c85bb29619c4db7e Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Sun, 5 Nov 2023 12:21:52 +0100
+Subject: [PATCH] Bug 705041: jbig2dec: Avoid uninitialized allocator in
+ command-line tool.
+This fixes CVE-2023-46361.
+CVE: CVE-2023-46361
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=44ca5b9d023e1de33fcb8984c85bb29619c4db7e]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ jbig2dec/jbig2dec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/jbig2dec/jbig2dec.c b/jbig2dec/jbig2dec.c
+index dc1fd56..78c8e89 100644
+--- a/jbig2dec/jbig2dec.c
+++ b/jbig2dec/jbig2dec.c
+@@ -567,7 +567,7 @@ main(int argc, char **argv)
+ {
+     jbig2dec_params_t params;
+     jbig2dec_error_callback_state_t error_callback_state;
+-    jbig2dec_allocator_t allocator_;
+    jbig2dec_allocator_t allocator_ = { 0 };
+     jbig2dec_allocator_t *allocator = &allocator_;
+     Jbig2Ctx *ctx = NULL;
+     FILE *f = NULL, *f_page = NULL;
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 969e637f5e..9f368a291f 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -56,6 +56,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2024-29506.patch \
                file://CVE-2024-29508-1.patch \
                file://CVE-2024-29508-2.patch \
+                file://CVE-2023-46361.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-11-08 13:09:12 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-11-15 06:05:32 -0800
commit	a84e68cd5d6a690c3afe76cab789f3e0878db7a2 (patch)
tree	29dd70f95fd882c85a38c2c788dfd865d3d62769 /meta/recipes-extended
parent	3aaed26728b2d8bcb66db94792fc080a37e2d9d3 (diff)
download	poky-a84e68cd5d6a690c3afe76cab789f3e0878db7a2.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch new file mode 100644 index 0000000000..d91a94e9d0 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch
@@ -0,0 +1,32 @@
		1	From 44ca5b9d023e1de33fcb8984c85bb29619c4db7e Mon Sep 17 00:00:00 2001
		2	From: Sebastian Rasmussen <sebras@gmail.com>
		3	Date: Sun, 5 Nov 2023 12:21:52 +0100
		4	Subject: [PATCH] Bug 705041: jbig2dec: Avoid uninitialized allocator in
		5	command-line tool.
		6
		7	This fixes CVE-2023-46361.
		8
		9	CVE: CVE-2023-46361
		10
		11	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=44ca5b9d023e1de33fcb8984c85bb29619c4db7e]
		12
		13	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		14	---
		15	jbig2dec/jbig2dec.c \| 2 +-
		16	1 file changed, 1 insertion(+), 1 deletion(-)
		17
		18	diff --git a/jbig2dec/jbig2dec.c b/jbig2dec/jbig2dec.c
		19	index dc1fd56..78c8e89 100644
		20	--- a/jbig2dec/jbig2dec.c
		21	+++ b/jbig2dec/jbig2dec.c
		22	@@ -567,7 +567,7 @@ main(int argc, char **argv)
		23	{
		24	jbig2dec_params_t params;
		25	jbig2dec_error_callback_state_t error_callback_state;
		26	- jbig2dec_allocator_t allocator_;
		27	+ jbig2dec_allocator_t allocator_ = { 0 };
		28	jbig2dec_allocator_t *allocator = &allocator_;
		29	Jbig2Ctx *ctx = NULL;
		30	FILE f = NULL, f_page = NULL;
		31	--
		32	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 969e637f5e..9f368a291f 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -56,6 +56,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
56	file://CVE-2024-29506.patch \	56	file://CVE-2024-29506.patch \
57	file://CVE-2024-29508-1.patch \	57	file://CVE-2024-29508-1.patch \
58	file://CVE-2024-29508-2.patch \	58	file://CVE-2024-29508-2.patch \
		59	file://CVE-2023-46361.patch \
59	"	60	"
60		61
61	SRC_URI = "${SRC_URI_BASE} \	62	SRC_URI = "${SRC_URI_BASE} \