mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-09 10:13:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

ghostscript: Backport fix for multiple CVE's

Browse Source 
import patch from ubuntu to fix
 CVE-2024-46951
 CVE-2024-46952
 CVE-2024-46953
 CVE-2024-46955
 CVE-2024-46956

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ada21374f0c90cc3acf7ce0e96302394560c7aee
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1fb76aaddac34530242dfbb9579d9997dae41264
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ca1fc2aefe9796e321d0589afe7efb35063c8b2a
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ea69a1388245ad959d31c272b5ba66d40cebba2c]

(From OE-Core rev: 21a81b592a33504d90f8c53842719cb1fcf96271)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
2024-11-15 08:56:59 +05:30
committed by Steve Sakoman
parent 8e092852b6
commit 86be079fa4
6 changed files with 255 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46951.patch Normal file
View File

@@ -0,0 +1,31 @@
From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:16:39 +0100
Subject: PS interpreter - check the type of the Pattern Implementation
Bug #707991
See bug report for details.
CVE-2024-46951
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46951.patch?h=ubuntu/jammy-security
Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ada21374f0c90cc3acf7ce0e96302394560c7aee]
CVE: CVE-2024-46951
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
psi/zcolor.c | 3 +++
1 file changed, 3 insertions(+)
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -5054,6 +5054,9 @@ static int patterncomponent(i_ctx_t * i_
code = array_get(imemory, pImpl, 0, &pPatInst);
if (code < 0)
return code;
+
+ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+ return_error(gs_error_typecheck);
cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
if (pattern_instance_uses_base_space(cc.pattern))
*n = n_comps;

62
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46952.patch Normal file
View File

@@ -0,0 +1,62 @@
From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Mon, 2 Sep 2024 15:14:01 +0100
Subject: PDF interpreter - sanitise W array values in Xref streams
Bug #708001 "Buffer overflow in PDF XRef stream"
See bug report. I've chosen to fix this by checking the values in the
W array; these can (currently at least) only have certain relatively
small values.
As a future proofing fix I've also updated field_size in
pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger
than required, but matches the W array values and so prevents the
mismatch which could lead to a buffer overrun.
CVE-2024-46952
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46952.patch?h=ubuntu/jammy-security
Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1fb76aaddac34530242dfbb9579d9997dae41264]
CVE: CVE-2024-46952
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
pdf/pdf_xref.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx,
static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W)
{
uint i, j;
- uint field_width = 0;
+ uint64_t field_width = 0;
uint32_t type = 0;
uint64_t objnum = 0, gen = 0;
byte *Buffer;
@@ -292,6 +292,24 @@ static int pdfi_process_xref_stream(pdf_
}
pdfi_countdown(a);
+ /* W[0] is either:
+ * 0 (no type field) or a single byte with the type.
+ * W[1] is either:
+ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored.
+ * W[2] is either:
+ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream.
+ *
+ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually
+ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number.
+ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits.
+ */
+ if (W[0] > 1 || W[1] > 8 || W[2] > 8) {
+ pdfi_close_file(ctx, XRefStrm);
+ pdfi_countdown(ctx->xref_table);
+ ctx->xref_table = NULL;
+ return code;
+ }
+
code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a);
if (code == gs_error_undefined) {
code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W);

67
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46953.patch Normal file
View File

@@ -0,0 +1,67 @@
From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 27 May 2024 13:38:36 +0100
Subject: Bug 707793: Check for overflow validating format string
for the output file name
CVE-2024-46953
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46953.patch?h=ubuntu/jammy-security
Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a]
CVE: CVE-2024-46953
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
base/gsdevice.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/base/gsdevice.c
+++ b/base/gsdevice.c
@@ -1069,7 +1069,7 @@ static int
gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
{
bool have_format = false, field;
- int width[2], int_width = sizeof(int) * 3, w = 0;
+ uint width[2], int_width = sizeof(int) * 3, w = 0;
uint i;
/* Scan the file name for a format string, and validate it if present. */
@@ -1098,6 +1098,8 @@ gx_parse_output_format(gs_parsed_file_na
default: /* width (field = 0) and precision (field = 1) */
if (strchr("0123456789", pfn->fname[i])) {
width[field] = width[field] * 10 + pfn->fname[i] - '0';
+ if (width[field] > max_int)
+ return_error(gs_error_undefinedfilename);
continue;
} else if (0 == field && '.' == pfn->fname[i]) {
field++;
@@ -1126,8 +1128,10 @@ gx_parse_output_format(gs_parsed_file_na
/* Calculate a conservative maximum width. */
w = max(width[0], width[1]);
w = max(w, int_width) + 5;
+ if (w > max_int)
+ return_error(gs_error_undefinedfilename);
}
- return w;
+ return (int)w;
}
/*
@@ -1180,10 +1184,15 @@ gx_parse_output_file_name(gs_parsed_file
if (!pfn->fname)
return 0;
code = gx_parse_output_format(pfn, pfmt);
- if (code < 0)
+ if (code < 0) {
return code;
- if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
+ }
+
+ if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
+ code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
return_error(gs_error_undefinedfilename);
+ }
+
return 0;
}

60
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46955.patch Normal file
View File

@@ -0,0 +1,60 @@
From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:11:53 +0100
Subject: PS interpreter - check Indexed colour space index
Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
Check the 'index' is in the valid range (0 to hival) for the colour
space.
Also a couple of additional checks on the type of the 'proc' for
Indexed, DeviceN and Separation spaces. Make sure these really are
procs in case the user changed the colour space array.
CVE-2024-46955
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46955.patch?h=ubuntu/jammy-security
Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ca1fc2aefe9796e321d0589afe7efb35063c8b2a]
CVE: CVE-2024-46955
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
psi/zcolor.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -3628,6 +3628,7 @@ static int septransform(i_ctx_t *i_ctx_p
code = array_get(imemory, sepspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4449,6 +4450,7 @@ static int devicentransform(i_ctx_t *i_c
code = array_get(imemory, devicenspace, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*esp = proc;
return o_push_estack;
}
@@ -4864,6 +4866,7 @@ static int indexedbasecolor(i_ctx_t * i_
code = array_get(imemory, space, 3, &proc);
if (code < 0)
return code;
+ check_proc(proc);
*ep = proc; /* lookup proc */
return o_push_estack;
} else {
@@ -4877,6 +4880,9 @@ static int indexedbasecolor(i_ctx_t * i_
if (!r_has_type(op, t_integer))
return_error (gs_error_typecheck);
index = op->value.intval;
+ /* Ensure it is in range. See bug #707990 */
+ if (index < 0 || index > pcs->params.indexed.hival)
+ return_error(gs_error_rangecheck);
/* And remove it from the stack. */
ref_stack_pop(&o_stack, 1);
op = osp;

30
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-46956.patch Normal file
View File

@@ -0,0 +1,30 @@
From ea69a1388245ad959d31c272b5ba66d40cebba2c Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Tue, 23 Jul 2024 11:48:39 +0100
Subject: PostScript interpreter - fix buffer length check
Bug 707895
See bug report for details.
CVE-2024-46956
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches/CVE-2024-46956.patch?h=ubuntu/jammy-security
Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ea69a1388245ad959d31c272b5ba66d40cebba2c]
CVE: CVE-2024-46956
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
psi/zfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -440,7 +440,7 @@ file_continue(i_ctx_t *i_ctx_p)
if (code == ~(uint) 0) { /* all done */
esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
return o_pop_estack;
- } else if (code > len) { /* overran string */
+ } else if (code > len - devlen) { /* overran string */
return_error(gs_error_rangecheck);
}
else if (iodev != iodev_default(imemory)

5
meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
View File

@@ -57,6 +57,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
file://CVE-2024-29508-1.patch \
file://CVE-2024-29508-2.patch \
file://CVE-2023-46361.patch \
file://CVE-2024-46951.patch \
file://CVE-2024-46952.patch \
file://CVE-2024-46953.patch \
file://CVE-2024-46955.patch \
file://CVE-2024-46956.patch \
"
SRC_URI = "${SRC_URI_BASE} \