mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

ghostscript: patch CVE-2025-59799

Browse Source 
Pick commit mentioned in the NVD report.

(From OE-Core rev: 2f1d5b9ad1af6d2b28e9e7b46aadd879a67b8fc6)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko
2025-10-08 00:11:11 +02:00
committed by Steve Sakoman
parent 7698e2910d
commit 0db5ae637d
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch Normal file
View File

@@ -0,0 +1,41 @@
From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001
From: Piotr Kajda <petermasterperfect@gmail.com>
Date: Thu, 8 May 2025 11:37:09 +0100
Subject: [PATCH] pdfwrite - bounds check some strings
Bug #708517
This differs very slightly from the proposed patch in the bug report, I
had a quick scout through the C file and found another similar case.
Both fixed here.
CVE: CVE-2025-59799
Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/6dab38fb211f15226c242ab7a83fa53e4b0ff781]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
devices/vector/gdevpdfm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c
index 5aa3644e2..4b1d7d89c 100644
--- a/devices/vector/gdevpdfm.c
+++ b/devices/vector/gdevpdfm.c
@@ -199,6 +199,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING])
{
const byte *data = dstr->data;
uint size = dstr->size;
+ if (size > MAX_DEST_STRING)
+ return_error(gs_error_limitcheck);
if (size == 0 || data[0] != '(')
return 0;
/****** HANDLE ESCAPES ******/
@@ -859,6 +861,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd,
char buf[30];
int d0, d1;
+ if (Action[1].size > 29)
+ return_error(gs_error_rangecheck);
memcpy(buf, Action[1].data, Action[1].size);
buf[Action[1].size] = 0;
if (sscanf(buf, "%d %d R", &d0, &d1) == 2)

1
meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
View File

@@ -26,6 +26,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
file://ghostscript-9.16-Werror-return-type.patch \ file://ghostscript-9.16-Werror-return-type.patch \
file://avoid-host-contamination.patch \ file://avoid-host-contamination.patch \
file://CVE-2025-59798.patch \ file://CVE-2025-59798.patch \
file://CVE-2025-59799.patch \
" "
SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49" SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"