2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
new file mode 100644
index 0000000000..9c2b9dcfa2
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
@@ -0,0 +1,99 @@
+From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 26 Mar 2024 12:00:14 +0000
+Subject: [PATCH 1/5] Bug #707686
+See bug thread for details
+In addition to the noted bug; an error path (return from
+gp_file_name_reduce not successful) could elad to a memory leak as we
+did not free 'bufferfull'. Fix that too.
+This addresses CVE-2024-33870
+CVE: CVE-2024-33870
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++----
+ 1 file changed, 32 insertions(+), 4 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 2b0064b..c4a69b0 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
+    All Rights Reserved.
+    This software is provided AS-IS with no warranty, either express or
+@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+                      const uint         len,
+                      const char        *mode)
+ {
+-    char *buffer, *bufferfull;
+    char *buffer, *bufferfull = NULL;
+     uint rlen;
+     int code = 0;
+     const char *cdirstr = gp_file_name_current();
+@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem,
+             return gs_error_VMerror;
+         buffer = bufferfull + prefix_len;
+-        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-            return gs_error_invalidfileaccess;
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
+            code = gs_note_error(gs_error_invalidfileaccess);
+            goto exit;
+        }
+         buffer[rlen] = 0;
+     }
+     while (1) {
+@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem,
+             code = gs_note_error(gs_error_invalidfileaccess);
+         }
+         if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
+            uint newlen = rlen + cdirstrl + dirsepstrl;
+            char *newbuffer;
+            int code;
+
+             buffer = bufferfull;
+             memcpy(buffer, cdirstr, cdirstrl);
+             memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
+
+            /* We've prepended a './' or similar for the current working directory. We need
+             * to execute file_name_reduce on that, to eliminate any '../' or similar from
+             * the (new) full path.
+             */
+            newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
+            if (newbuffer == NULL) {
+                code = gs_note_error(gs_error_VMerror);
+                goto exit;
+            }
+
+            memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
+            newbuffer[newlen] = 0x00;
+
+            code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
+            gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
+            if (code != gp_combine_success) {
+                code = gs_note_error(gs_error_invalidfileaccess);
+                goto exit;
+            }
+
+             continue;
+         }
+         else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
+@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+                                            gs_path_control_flag_is_scratch_file);
+     }
+exit:
+     gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
+ #ifdef EACCES
+     if (code == gs_error_invalidfileaccess)
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
index 3dff16eec2..ca6f628f38 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
           file://ghostscript-9.16-Werror-return-type.patch \
           file://avoid-host-contamination.patch \
           file://configure.ac-add-option-to-explicitly-disable-neon.patch \
+           file://CVE-2024-33870.patch \
           "
 SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch new file mode 100644 index 0000000000..9c2b9dcfa2 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
@@ -0,0 +1,99 @@
		1	From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Tue, 26 Mar 2024 12:00:14 +0000
		4	Subject: [PATCH 1/5] Bug #707686
		5
		6	See bug thread for details
		7
		8	In addition to the noted bug; an error path (return from
		9	gp_file_name_reduce not successful) could elad to a memory leak as we
		10	did not free 'bufferfull'. Fix that too.
		11
		12	This addresses CVE-2024-33870
		13
		14	CVE: CVE-2024-33870
		15
		16	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc]
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	base/gpmisc.c \| 36 ++++++++++++++++++++++++++++++++----
		21	1 file changed, 32 insertions(+), 4 deletions(-)
		22
		23	diff --git a/base/gpmisc.c b/base/gpmisc.c
		24	index 2b0064b..c4a69b0 100644
		25	--- a/base/gpmisc.c
		26	+++ b/base/gpmisc.c
		27	@@ -1,4 +1,4 @@
		28	-/* Copyright (C) 2001-2023 Artifex Software, Inc.
		29	+/* Copyright (C) 2001-2024 Artifex Software, Inc.
		30	All Rights Reserved.
		31
		32	This software is provided AS-IS with no warranty, either express or
		33	@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
		34	const uint len,
		35	const char *mode)
		36	{
		37	- char buffer, bufferfull;
		38	+ char buffer, bufferfull = NULL;
		39	uint rlen;
		40	int code = 0;
		41	const char *cdirstr = gp_file_name_current();
		42	@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem,
		43	return gs_error_VMerror;
		44
		45	buffer = bufferfull + prefix_len;
		46	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		47	- return gs_error_invalidfileaccess;
		48	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
		49	+ code = gs_note_error(gs_error_invalidfileaccess);
		50	+ goto exit;
		51	+ }
		52	buffer[rlen] = 0;
		53	}
		54	while (1) {
		55	@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem,
		56	code = gs_note_error(gs_error_invalidfileaccess);
		57	}
		58	if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
		59	+ uint newlen = rlen + cdirstrl + dirsepstrl;
		60	+ char *newbuffer;
		61	+ int code;
		62	+
		63	buffer = bufferfull;
		64	memcpy(buffer, cdirstr, cdirstrl);
		65	memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
		66	+
		67	+ /* We've prepended a './' or similar for the current working directory. We need
		68	+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
		69	+ * the (new) full path.
		70	+ */
		71	+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
		72	+ if (newbuffer == NULL) {
		73	+ code = gs_note_error(gs_error_VMerror);
		74	+ goto exit;
		75	+ }
		76	+
		77	+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
		78	+ newbuffer[newlen] = 0x00;
		79	+
		80	+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
		81	+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
		82	+ if (code != gp_combine_success) {
		83	+ code = gs_note_error(gs_error_invalidfileaccess);
		84	+ goto exit;
		85	+ }
		86	+
		87	continue;
		88	}
		89	else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
		90	@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem,
		91	gs_path_control_flag_is_scratch_file);
		92	}
		93
		94	+exit:
		95	gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
		96	#ifdef EACCES
		97	if (code == gs_error_invalidfileaccess)
		98	--
		99	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb index 3dff16eec2..ca6f628f38 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
26	file://ghostscript-9.16-Werror-return-type.patch \	26	file://ghostscript-9.16-Werror-return-type.patch \
27	file://avoid-host-contamination.patch \	27	file://avoid-host-contamination.patch \
28	file://configure.ac-add-option-to-explicitly-disable-neon.patch \	28	file://configure.ac-add-option-to-explicitly-disable-neon.patch \
		29	file://CVE-2024-33870.patch \
29	"	30	"
30		31
31	SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"	32	SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"