2 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch
new file mode 100644
index 0000000000..9cdefc5201
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch
@@ -0,0 +1,34 @@
+From de900010a6f2310d1fd54e99eeba466693da0e13 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Wed, 20 Nov 2024 11:27:52 +0000
+Subject: Bug 708131: Fix confusion between bytes and shorts
+We were copying data from a string in multiple of shorts, rather than multiple
+of bytes, leading to both an read (probably benign, given the memory manager)
+and write buffer overflow.
+CVE-2025-27835
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=de900010a6f2310d1fd54e99eeba466693da0e13]
+CVE: CVE-2025-27835
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ psi/zbfont.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/psi/zbfont.c b/psi/zbfont.c
+index acffb39ef..5850ab54d 100644
+--- a/psi/zbfont.c
+++ b/psi/zbfont.c
+@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
+                     if (l > length)
+                         return l;
+ 
+-                    memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
+                    memcpy(unicode_return, v->value.const_bytes, l);
+                     return l;
+                 }
+                 if (r_type(v) == t_integer) {
+-- 
+cgit v1.2.3
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 376d4a300e..abc0238ddc 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -67,6 +67,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2025-27831.patch \
                file://CVE-2025-27832.patch \
                file://CVE-2025-27834.patch \
+                file://CVE-2025-27835.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch new file mode 100644 index 0000000000..9cdefc5201 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch
@@ -0,0 +1,34 @@
		1	From de900010a6f2310d1fd54e99eeba466693da0e13 Mon Sep 17 00:00:00 2001
		2	From: Zdenek Hutyra <zhutyra@centrum.cz>
		3	Date: Wed, 20 Nov 2024 11:27:52 +0000
		4	Subject: Bug 708131: Fix confusion between bytes and shorts
		5
		6	We were copying data from a string in multiple of shorts, rather than multiple
		7	of bytes, leading to both an read (probably benign, given the memory manager)
		8	and write buffer overflow.
		9
		10	CVE-2025-27835
		11
		12	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=de900010a6f2310d1fd54e99eeba466693da0e13]
		13	CVE: CVE-2025-27835
		14	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		15	---
		16	psi/zbfont.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/psi/zbfont.c b/psi/zbfont.c
		20	index acffb39ef..5850ab54d 100644
		21	--- a/psi/zbfont.c
		22	+++ b/psi/zbfont.c
		23	@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font font, gs_glyph glyph, int ch, ushort u, u
		24	if (l > length)
		25	return l;
		26
		27	- memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
		28	+ memcpy(unicode_return, v->value.const_bytes, l);
		29	return l;
		30	}
		31	if (r_type(v) == t_integer) {
		32	--
		33	cgit v1.2.3
		34


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 376d4a300e..abc0238ddc 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -67,6 +67,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
67	file://CVE-2025-27831.patch \	67	file://CVE-2025-27831.patch \
68	file://CVE-2025-27832.patch \	68	file://CVE-2025-27832.patch \
69	file://CVE-2025-27834.patch \	69	file://CVE-2025-27834.patch \
		70	file://CVE-2025-27835.patch \
70	"	71	"
71		72
72	SRC_URI = "${SRC_URI_BASE} \	73	SRC_URI = "${SRC_URI_BASE} \