Archana Polampalli
5b18890ace
ghostscript: fix CVE-2025-48708
...
gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1
lacks argument sanitization for the # case. A created PDF document includes
its password in cleartext.
(From OE-Core rev: 7052a81e4f9b19b5640b414c10b19f8232d81572)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-13 08:42:34 -07:00
Peter Marko
73c2187fbc
ghostscript: ignore CVE-2024-29507
...
Fix for this CVE is [3] (per [1] and [2]).
It fixes cidfsubstfont handling which is not present in 9.55.0 yet.
It was introduced (as cidsubstpath) in 9.56.0 via [4] and later modified
to cidfsubstfont in [5].
Since this recipe has version 9.55.0, mark it as not affected yet.
[1] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7745dbe24514710b0cfba925e608e607dee9eb0f
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-29507
[3] https://security-tracker.debian.org/tracker/CVE-2024-29507
[4] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=82efed6cae8b0f2a3d10593b21083be1e7b1ab23
[5] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=4422012f6b40f0627d3527dba92f3a1ba30017d3
(From OE-Core rev: 5c9f3c244971aadee65a98d83668e3d5d63825a0)
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-14 06:38:21 -07:00
Peter Marko
235e74ba09
ghostscript: ignore CVE-2025-27837
...
This CVE only impacts codepaths relevant for Windows builds.
Se [1] from Debian which marks it as not applicable.
[1] https://security-tracker.debian.org/tracker/CVE-2025-27837
(From OE-Core rev: fb5dc4a476bc4054493d6a7eb64a423e3665afb9)
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-14 06:38:21 -07:00
Peter Marko
f6bbf5dc3a
ghostscript: ignore CVE-2025-27833
...
Vulnerable code was introduced in 9.56.0, so 9.55.0 is not affected yet
Commit introducing vulnerable feature:
* https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/pdf/pdf_fmap.c?id=0a1d08d91a95746f41e8c1d578a4e4af81ee5949
Commit fixing the vulnerability:
* https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=477e36cfa1faa0037069a22eeeb4fc750733f120
(From OE-Core rev: e1f3d02e80f6bdd942321d9f6718dcc36afe9df8)
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-02 08:12:41 -07:00
Vijay Anusuri
378cd5368d
ghostscript: Fix CVE-2025-27836
...
Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d84efb73723384a8b7fb3989c824cfa218060085 ]
(From OE-Core rev: 7399cf17590204f8289f356cce4575592d6e3536)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-04-11 08:36:03 -07:00
Vijay Anusuri
21f4513cd1
ghostscript: Fix CVE-2025-27835
...
Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=de900010a6f2310d1fd54e99eeba466693da0e13 ]
(From OE-Core rev: c30c46c2b4048dd58cf91b1523ddeca6075176ec)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-04-11 08:36:03 -07:00
Vijay Anusuri
ee952ae624
ghostscript: Fix CVE-2025-27834
...
Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b ]
(From OE-Core rev: 06fb236cabf550ea7c92cda0a725dd3db8a8a38b)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-04-11 08:36:03 -07:00
Vijay Anusuri
bfe8ae1a38
ghostscript: Fix CVE-2025-27832
...
Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41 ]
(From OE-Core rev: a1cd1e6275cc5ae3c100a3259e24d03937a4b78d)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-04-11 08:36:03 -07:00
Vijay Anusuri
09870c8cce
ghostscript: Fix CVE-2025-27831
...
Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647 ]
(From OE-Core rev: 810795d2f1d7798c52675efd94917bf99fb940d0)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-04-11 08:36:03 -07:00
Vijay Anusuri
d80ece64ab
ghostscript: Fix CVE-2025-27830
...
Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f ]
(From OE-Core rev: bc74ad209b243b131ea5467b871339f1773ba64b)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-04-11 08:36:03 -07:00
Peter Marko
bc35e81080
ghostscript: ignore CVE-2024-46954
...
Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe.
[1] points to [2] as patch, while file base/gp_utf8.c is not part of
ghostscript source tarball.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-46954
[2] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=55f587dd039282316f512e1bea64218fd991f934
(From OE-Core rev: 7f1b174b8f12fcf377c45c27022bac99b6652823)
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-01-09 08:41:03 -08:00
Vijay Anusuri
86be079fa4
ghostscript: Backport fix for multiple CVE's
...
import patch from ubuntu to fix
CVE-2024-46951
CVE-2024-46952
CVE-2024-46953
CVE-2024-46955
CVE-2024-46956
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ada21374f0c90cc3acf7ce0e96302394560c7aee
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1fb76aaddac34530242dfbb9579d9997dae41264
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ca1fc2aefe9796e321d0589afe7efb35063c8b2a
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ea69a1388245ad959d31c272b5ba66d40cebba2c ]
(From OE-Core rev: 21a81b592a33504d90f8c53842719cb1fcf96271)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-11-27 06:27:25 -08:00
Archana Polampalli
a84e68cd5d
ghostscript: fix CVE-2023-46361
...
Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulnerability
via jbig2_error at /jbig2dec/jbig2.c.
(From OE-Core rev: 3e9018fb14466495be7472a8620918347c732e86)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-11-15 06:05:32 -08:00
Ashish Sharma
f167cac856
ghostscript: Backport CVE-2024-29508
...
Import patch from ubuntu to fix
CVE-2024-29508
Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a ]
Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a
(From OE-Core rev: c5a85dfe661543137e40976e832ac22e4815406a)
Signed-off-by: Ashish Sharma <asharma@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-11-02 06:32:36 -07:00
Archana Polampalli
5c036f07cc
ghostscript: fix CVE-2024-29506
...
(From OE-Core rev: 68a6482244532e61bc467e1ef23661260bac8572)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-08-16 08:09:14 -07:00
Archana Polampalli
52cfc78696
ghostscript: fix CVE-2024-29509
...
(From OE-Core rev: 18c55a131b0627b906de29f8c4cbd1526154cd60)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-08-16 08:09:14 -07:00
Archana Polampalli
6313a595f9
ghostscript: fix CVE-2024-29511
...
(From OE-Core rev: 1710676f80df2ba1ee77d15b4e0e532df10be5a5)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-08-16 08:09:14 -07:00
Archana Polampalli
b0b5da10e1
ghostscript: fix CVE-2023-52722
...
(From OE-Core rev: 66228a9e8177e70a5653b61742836a3ad83e78af)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-06-01 19:07:52 -07:00
Archana Polampalli
2db6158ba5
ghostscript: fix CVE-2024-29510
...
(From OE-Core rev: 18e03cadcad0b416ef9fe65627e2e5c2924e3f26)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-06-01 19:07:52 -07:00
Archana Polampalli
c44a4b4958
ghostscript: fix CVE-2024-33871
...
Added dependent patch [1] for backporting this CVE
[1] 8b47f269b8archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-06-01 19:07:52 -07:00
Archana Polampalli
acf74d7113
ghostscript: fix CVE-2024-33869
...
(From OE-Core rev: fb0271a2d4e847764816b673aa37ea03ee4b3325)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-06-01 19:07:52 -07:00
Archana Polampalli
f60be736e6
ghostscript: fix CVE-2024-33870
...
(From OE-Core rev: 9f0c63b568312da93daeb31eeb2874b98d1e3eea)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-06-01 19:07:52 -07:00
Kai Kang
355838a15e
ghostscript: correct LICENSE with AGPLv3
...
The license of ghostscript has switched to Affero GPL since version 9.07
via commit:
* 3cc5318 Switch Ghostscript/GhostPDL to Affero GPL
https://github.com/ArtifexSoftware/ghostpdl/commit/3cc5318
Correct it with `AGPL-3.0-or-later`.
(From OE-Core rev: 8e192a2e0c2fdad18ea4c08774493225f31931a0)
Signed-off-by: Kai Kang <kai.kang@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2024-02-15 03:51:57 -10:00
Vijay Anusuri
a7f86b0e78
ghostscript: Backport fix for CVE-2023-46751
...
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5d2da96e81c7455338302c71a291088a8396245a ]
(From OE-Core rev: f01a0e7fcf3c2d277be0cd85c0cd6b2eff2e5f0a)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2023-12-22 16:36:54 -10:00
Lee Chee Yang
a7657ca5ff
ghostscript: ignore GhostPCL CVE-2023-38560
...
issue in GhostPCL.
GhostPCL not part of this GhostScript recipe.
(From OE-Core rev: 7c4b4daeeca8fab257475eacb83c58b7e5dfee24)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2023-11-28 05:00:32 -10:00
Archana Polampalli
df7a37d54f
ghostscript: fix CVE-2023-43115
...
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote
code execution via crafted PostScript documents because they can switch to the
IJS device, or change the IjsServer parameter, after SAFER has been activated.
NOTE: it is a documented risk that the IJS server can be specified on a gs
command line (the IJS device inherently must execute a command to start the IJS server).
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-43115
Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe
(From OE-Core rev: 1d169e50f28c93434461aa3ecbc47c21509143e9)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2023-09-30 09:43:59 -10:00
Archana Polampalli
8e90df16f5
ghostscript: fix CVE-2023-38559
...
A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle()
in ghostscript. This issue may allow a local attacker to cause a denial of service
via outputting a crafted PDF file for a DEVN device with gs.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-38559
Upstream patch:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
(From OE-Core rev: e77c0b35969ae690b390ffae682fd6552ff8aff8)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2023-08-19 05:56:58 -10:00
Archana Polampalli
ba1a77347c
ghostscript: fix CVE-2023-36664
...
Artifex Ghostscript through 10.01.2 mishandles permission validation for
pipe devices (with the %pipe% prefix or the | pipe character prefix).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-36664
Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099
(From OE-Core rev: cd3921215cb782ecc9aeda5bb3b76863911bcb61)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2023-07-26 05:20:36 -10:00
Joe Slater
20e0e5ebfb
ghostscript: fix CVE-2023-29979
...
Backport from 10.02.0 (unreleased).
(From OE-Core rev: 6d5baff50aa83c663856cccc375c522add97625e)
Signed-off-by: Joe Slater <joe.slater@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2023-05-03 04:17:12 -10:00
Lee Chee Yang
0a954bf5d7
ghostscript: fix CVE-2022-2085
...
(From OE-Core rev: 645a619524d04aa6a2029a2810e2d84dc751fc48)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
2022-07-08 08:27:15 +01:00
Richard Purdie
71ef319193
meta/scripts: Automated conversion of OE renamed variables
...
(From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
2022-02-21 23:37:27 +00:00
Richard Purdie
b0130fcf91
meta/meta-selftest/meta-skeleton: Update LICENSE variable to use SPDX license identifiers
...
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
2022-02-20 16:45:25 +00:00
Alexander Kanavin
6f138098b1
ghostscript: update 9.54.0 -> 9.55.0
...
jbig2dec seems no longer optional; the source for it
is bundle with ghostscript.
License-Update: removed patent references
(From OE-Core rev: 44a3bea7e8fedbc76b6e8f97e1f669def81e158a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de >
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
2021-10-23 17:42:25 +01:00
