2 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
new file mode 100644
index 0000000000..692d35157f
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
@@ -0,0 +1,84 @@
+From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 21 Mar 2024 09:01:15 +0000
+Subject: [PATCH 5/5] Uniprint device - prevent string configuration changes
+ when SAFER
+Bug #707662
+We cannot sanitise the string arguments used by the Uniprint device
+because they can potentially include anything.
+This commit ensures that these strings are locked and cannot be
+changed by PostScript once SAFER is activated. Full configuration from
+the command line is still possible (see the *.upp files in lib).
+This addresses CVE-2024-29510
+CVE: CVE-2024-29510
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+diff --git a/devices/gdevupd.c b/devices/gdevupd.c
+index 740dae0..a50571a 100644
+--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
+@@ -1887,6 +1887,16 @@ out on this copies.
+       if(!upd_strings[i]) continue;
+       UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
+       if(0 == code) {
+        if (gs_is_path_control_active(udev->memory)) {
+            if (strings[i].size != value.size)
+              error = gs_error_invalidaccess;
+            else {
+                if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+                    error = gs_error_invalidaccess;
+            }
+            if (error < 0)
+                goto exit;
+        }
+          if(0 <= error) error |= UPD_PUT_STRINGS;
+          UPD_MM_DEL_PARAM(udev->memory, strings[i]);
+          if(!value.size) {
+@@ -1904,6 +1914,26 @@ out on this copies.
+       if(!upd_string_a[i]) continue;
+       UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
+       if(0 == code) {
+          if (gs_is_path_control_active(udev->memory)) {
+              if (string_a[i].size != value.size)
+                  error = gs_error_invalidaccess;
+              else {
+                  int loop;
+                  for (loop = 0;loop < string_a[i].size;loop++) {
+                      gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+                      gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+                      if (tmp1->size != tmp2->size)
+                          error = gs_error_invalidaccess;
+                      else {
+                          if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+                              error = gs_error_invalidaccess;
+                      }
+                  }
+              }
+            if (error < 0)
+                goto exit;
+          }
+          if(0 <= error) error |= UPD_PUT_STRING_A;
+          UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
+          if(!value.size) {
+@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
+       if(0 > code) error = code;
+    }
+exit:
+    if(0 < error) { /* Actually something loaded without error */
+       if(!(upd = udev->upd)) {
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
index 8bda4404cc..db9481816a 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
           file://CVE-2024-33869-0001.patch \
           file://CVE-2024-33869-0002.patch \
           file://CVE-2024-33871.patch \
+           file://CVE-2024-29510.patch \
           "
 SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch new file mode 100644 index 0000000000..692d35157f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
@@ -0,0 +1,84 @@
		1	From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <Ken.Sharp@artifex.com>
		3	Date: Thu, 21 Mar 2024 09:01:15 +0000
		4	Subject: [PATCH 5/5] Uniprint device - prevent string configuration changes
		5	when SAFER
		6
		7	Bug #707662
		8
		9	We cannot sanitise the string arguments used by the Uniprint device
		10	because they can potentially include anything.
		11
		12	This commit ensures that these strings are locked and cannot be
		13	changed by PostScript once SAFER is activated. Full configuration from
		14	the command line is still possible (see the *.upp files in lib).
		15
		16	This addresses CVE-2024-29510
		17
		18	CVE: CVE-2024-29510
		19
		20	Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
		21
		22	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		23	---
		24	devices/gdevupd.c \| 31 +++++++++++++++++++++++++++++++
		25	1 file changed, 31 insertions(+)
		26
		27	diff --git a/devices/gdevupd.c b/devices/gdevupd.c
		28	index 740dae0..a50571a 100644
		29	--- a/devices/gdevupd.c
		30	+++ b/devices/gdevupd.c
		31	@@ -1887,6 +1887,16 @@ out on this copies.
		32	if(!upd_strings[i]) continue;
		33	UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
		34	if(0 == code) {
		35	+ if (gs_is_path_control_active(udev->memory)) {
		36	+ if (strings[i].size != value.size)
		37	+ error = gs_error_invalidaccess;
		38	+ else {
		39	+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
		40	+ error = gs_error_invalidaccess;
		41	+ }
		42	+ if (error < 0)
		43	+ goto exit;
		44	+ }
		45	if(0 <= error) error \|= UPD_PUT_STRINGS;
		46	UPD_MM_DEL_PARAM(udev->memory, strings[i]);
		47	if(!value.size) {
		48	@@ -1904,6 +1914,26 @@ out on this copies.
		49	if(!upd_string_a[i]) continue;
		50	UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
		51	if(0 == code) {
		52	+ if (gs_is_path_control_active(udev->memory)) {
		53	+ if (string_a[i].size != value.size)
		54	+ error = gs_error_invalidaccess;
		55	+ else {
		56	+ int loop;
		57	+ for (loop = 0;loop < string_a[i].size;loop++) {
		58	+ gs_param_string tmp1 = (gs_param_string )&(string_a[i].data[loop]);
		59	+ gs_param_string tmp2 = (gs_param_string )&value.data[loop];
		60	+
		61	+ if (tmp1->size != tmp2->size)
		62	+ error = gs_error_invalidaccess;
		63	+ else {
		64	+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
		65	+ error = gs_error_invalidaccess;
		66	+ }
		67	+ }
		68	+ }
		69	+ if (error < 0)
		70	+ goto exit;
		71	+ }
		72	if(0 <= error) error \|= UPD_PUT_STRING_A;
		73	UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
		74	if(!value.size) {
		75	@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
		76	if(0 > code) error = code;
		77	}
		78
		79	+exit:
		80	if(0 < error) { /* Actually something loaded without error */
		81
		82	if(!(upd = udev->upd)) {
		83	--
		84	2.40.0


diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb index 8bda4404cc..db9481816a 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
30	file://CVE-2024-33869-0001.patch \	30	file://CVE-2024-33869-0001.patch \
31	file://CVE-2024-33869-0002.patch \	31	file://CVE-2024-33869-0002.patch \
32	file://CVE-2024-33871.patch \	32	file://CVE-2024-33871.patch \
		33	file://CVE-2024-29510.patch \
33	"	34	"
34		35
35	SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"	36	SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"