diff options
3 files changed, 136 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch new file mode 100644 index 0000000000..bdf597f38e --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch | |||
| @@ -0,0 +1,50 @@ | |||
| 1 | Partial backport of: | ||
| 2 | |||
| 3 | From bf79b61cb1677d6865c45d397435848a21e8a647 Mon Sep 17 00:00:00 2001 | ||
| 4 | From: Ken Sharp <ken.sharp@artifex.com> | ||
| 5 | Date: Tue, 27 Sep 2022 13:03:57 +0100 | ||
| 6 | Subject: [PATCH] PCL interpreter - fix decode_glyph for Unicode | ||
| 7 | |||
| 8 | The text extraction (and pdfwrite family) expect that decode_glyph | ||
| 9 | should always return pairs of bytes (an assumption that Unicode code | ||
| 10 | points are 2 bytes), and the return value from the routine should be | ||
| 11 | the number of bytes required to hold the value. | ||
| 12 | |||
| 13 | The PCL decode_glyph routine however was simply returning 1, which | ||
| 14 | caused the text extraction code some difficulty since it wasn't | ||
| 15 | expecting that. | ||
| 16 | |||
| 17 | This commit firstly alters the text extraction code to cope 'better' | ||
| 18 | with a decode_glyph routine which returns an odd value (basically | ||
| 19 | ignore it and fall back to using the character code). | ||
| 20 | |||
| 21 | We also alter the pl_decode_glyph routine to return 2 instead of 1, | ||
| 22 | so that it correctly tells the caller that it is returning 2 bytes. | ||
| 23 | Finally we make sure that the returned value is big-endian, because the | ||
| 24 | text extraction code assumes it will be. | ||
| 25 | |||
| 26 | Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647] | ||
| 27 | CVE: CVE-2025-27831 #Dependency Patch | ||
| 28 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 29 | --- | ||
| 30 | devices/vector/doc_common.c | 8 ++++++++ | ||
| 31 | pcl/pl/plfont.c | 12 +++++++++--- | ||
| 32 | 2 files changed, 17 insertions(+), 3 deletions(-) | ||
| 33 | |||
| 34 | --- a/devices/vector/doc_common.c | ||
| 35 | +++ b/devices/vector/doc_common.c | ||
| 36 | @@ -513,6 +513,14 @@ int txt_get_unicode(gx_device *dev, gs_f | ||
| 37 | char *b, *u; | ||
| 38 | int l = length - 1; | ||
| 39 | |||
| 40 | + /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly | ||
| 41 | + * 2 bytes. If we got an odd number, give up and return the character code. | ||
| 42 | + */ | ||
| 43 | + if (length & 1) { | ||
| 44 | + *Buffer = fallback; | ||
| 45 | + return 1; | ||
| 46 | + } | ||
| 47 | + | ||
| 48 | unicode = (ushort *)gs_alloc_bytes(dev->memory, length, "temporary Unicode array"); | ||
| 49 | length = font->procs.decode_glyph((gs_font *)font, glyph, ch, unicode, length); | ||
| 50 | #if ARCH_IS_BIG_ENDIAN | ||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch new file mode 100644 index 0000000000..8956d276d1 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch | |||
| @@ -0,0 +1,84 @@ | |||
| 1 | From d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Zdenek Hutyra <zhutyra@centrum.cz> | ||
| 3 | Date: Thu, 21 Nov 2024 10:04:17 +0000 | ||
| 4 | Subject: Prevent Unicode decoding overrun | ||
| 5 | |||
| 6 | Bug #708132 "Text buffer overflow with long characters" | ||
| 7 | |||
| 8 | The txt_get_unicode function was copying too few bytes from the | ||
| 9 | fixed glyph name to unicode mapping tables. This was probably | ||
| 10 | causing incorrect Unicode code points in relatively rare cases but | ||
| 11 | not otherwise a problem. | ||
| 12 | |||
| 13 | However, a badly formed GlyphNames2Unicode array attached to a font | ||
| 14 | could cause the decoding to spill over the assigned buffer. | ||
| 15 | |||
| 16 | We really should rewrite the Unicode handling, but until we do just | ||
| 17 | checking that the length is no more than 4 Unicode code points is | ||
| 18 | enough to prevent an overrun. All the current clients allocate at least | ||
| 19 | 4 code points per character code. | ||
| 20 | |||
| 21 | Added a comment to explain the magic number. | ||
| 22 | |||
| 23 | CVE-2025-27831 | ||
| 24 | |||
| 25 | Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17] | ||
| 26 | CVE: CVE-2025-27831 | ||
| 27 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 28 | --- | ||
| 29 | devices/vector/doc_common.c | 14 +++++++++----- | ||
| 30 | 1 file changed, 9 insertions(+), 5 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/devices/vector/doc_common.c b/devices/vector/doc_common.c | ||
| 33 | index 690f8eaed..05fb3d51f 100644 | ||
| 34 | --- a/devices/vector/doc_common.c | ||
| 35 | +++ b/devices/vector/doc_common.c | ||
| 36 | @@ -479,7 +479,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u | ||
| 37 | } | ||
| 38 | if (strlen(dentry->Glyph) == gnstr.size) { | ||
| 39 | if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) { | ||
| 40 | - memcpy(Buffer, dentry->Unicode, 2); | ||
| 41 | + memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short)); | ||
| 42 | return 2; | ||
| 43 | } | ||
| 44 | } | ||
| 45 | @@ -497,7 +497,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u | ||
| 46 | } | ||
| 47 | if (strlen(tentry->Glyph) == gnstr.size) { | ||
| 48 | if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) { | ||
| 49 | - memcpy(Buffer, tentry->Unicode, 3); | ||
| 50 | + memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short)); | ||
| 51 | return 3; | ||
| 52 | } | ||
| 53 | } | ||
| 54 | @@ -515,7 +515,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u | ||
| 55 | } | ||
| 56 | if (strlen(qentry->Glyph) == gnstr.size) { | ||
| 57 | if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) { | ||
| 58 | - memcpy(Buffer, qentry->Unicode, 4); | ||
| 59 | + memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short)); | ||
| 60 | return 4; | ||
| 61 | } | ||
| 62 | } | ||
| 63 | @@ -527,12 +527,16 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u | ||
| 64 | return 1; | ||
| 65 | } else { | ||
| 66 | char *b, *u; | ||
| 67 | - int l = length - 1; | ||
| 68 | + int l; | ||
| 69 | |||
| 70 | /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly | ||
| 71 | * 2 bytes. If we got an odd number, give up and return the character code. | ||
| 72 | + * | ||
| 73 | + * The magic number here is due to the clients calling this code. Currently txtwrite and docxwrite | ||
| 74 | + * allow up to 4 Unicode values per character/glyph, if the length would exceed that we can't | ||
| 75 | + * write it. For now, again, fall back to the character code. | ||
| 76 | */ | ||
| 77 | - if (length & 1) { | ||
| 78 | + if (length & 1 || length > 4 * sizeof(unsigned short)) { | ||
| 79 | *Buffer = fallback; | ||
| 80 | return 1; | ||
| 81 | } | ||
| 82 | -- | ||
| 83 | cgit v1.2.3 | ||
| 84 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index dae8dff813..94a21d1dce 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | |||
| @@ -63,6 +63,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
| 63 | file://CVE-2024-46955.patch \ | 63 | file://CVE-2024-46955.patch \ |
| 64 | file://CVE-2024-46956.patch \ | 64 | file://CVE-2024-46956.patch \ |
| 65 | file://CVE-2025-27830.patch \ | 65 | file://CVE-2025-27830.patch \ |
| 66 | file://CVE-2025-27831-pre1.patch \ | ||
| 67 | file://CVE-2025-27831.patch \ | ||
| 66 | " | 68 | " |
| 67 | 69 | ||
| 68 | SRC_URI = "${SRC_URI_BASE} \ | 70 | SRC_URI = "${SRC_URI_BASE} \ |