Strona główna Odkrywaj Pomoc
Zaloguj się
crispAudio
/
poky
kopia lustrzana git://git.yoctoproject.org/poky
5
0
Forkuj 0
Pliki Problemy 0 Wiki
Przeglądaj źródła

ghostscript: fix CVE-2023-28879

Backport from tag ghostpdl-10.01.1-gse-10174 which is
after 10.01.1.

(From OE-Core rev: 8a70d6935afa38173dbf012b8e1c3d59228504df)

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Joe Slater 2 lat temu
rodzic
c7ede907d9
commit
f917836354
2 zmienionych plików z 61 dodań i 0 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 60 0
      meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch
  2. 1 0
      meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb

+ 60 - 0
meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch
Wyświetl plik 

@@ -0,0 +1,60 @@
 
+From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
 
+From: Ken Sharp <ken.sharp@artifex.com>
 
+Date: Fri, 24 Mar 2023 13:19:57 +0000
 
+Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
 
+
 
+Bug #706494 "Buffer Overflow in s_xBCPE_process"
 
+
 
+As described in detail in the bug report, if the write buffer is filled
 
+to one byte less than full, and we then try to write an escaped
 
+character, we overrun the buffer because we don't check before
 
+writing two bytes to it.
 
+
 
+This just checks if we have two bytes before starting to write an
 
+escaped character and exits if we don't (replacing the consumed byte
 
+of the input).
 
+
 
+Up for further discussion; why do we even permit a BCP encoding filter
 
+anyway ? I think we should remove this, at least when SAFER is true.
 
+---
 
+CVE: CVE-2023-28879
 
+
 
+Upstream-Status: Backport [see text]
 
+
 
+git://git.ghostscript.com/ghostpdl
 
+cherry-pick
 
+
 
+Signed-off-by: Joe Slater <joe.slater@windriver.com.
 
+
 
+---
 
+ base/sbcp.c | 10 +++++++++-
 
+ 1 file changed, 9 insertions(+), 1 deletion(-)
 
+
 
+diff --git a/base/sbcp.c b/base/sbcp.c
 
+index 979ae0992..47fc233ec 100644
 
+--- a/base/sbcp.c
 
++++ b/base/sbcp.c
 
+@@ -1,4 +1,4 @@
 
+-/* Copyright (C) 2001-2021 Artifex Software, Inc.
 
++/* Copyright (C) 2001-2023 Artifex Software, Inc.
 
+    All Rights Reserved.
 
+ 
+    This software is provided AS-IS with no warranty, either express or
 
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
 
+         byte ch = *++p;
 
+ 
+         if (ch <= 31 && escaped[ch]) {
 
++            /* Make sure we have space to store two characters in the write buffer,
 
++             * if we don't then exit without consuming the input character, we'll process
 
++             * that on the next time round.
 
++             */
 
++            if (pw->limit - q < 2) {
 
++                p--;
 
++                break;
 
++            }
 
+             if (p == rlimit) {
 
+                 p--;
 
+                 break;
 
+-- 
+2.25.1
 
+

+ 1 - 0
meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
Wyświetl plik 

@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
 
                 file://avoid-host-contamination.patch \
 
                 file://mkdir-p.patch \
 
                 file://cross-compile.patch \
 
+                file://cve-2023-28879.patch \
 
 "
 
 
 SRC_URI = "${SRC_URI_BASE} \