[oe-core][kirkstone][PATCH 1/5] ghostscript: fix CVE-2024-33870

Polampalli, Archana via lists.openembedded.org Tue, 28 May 2024 22:41:39 -0700

From: Archana Polampalli <archana.polampa...@windriver.com>

Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
---
 .../ghostscript/CVE-2024-33870.patch          | 92 +++++++++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  1 +
 2 files changed, 93 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
new file mode 100644
index 0000000000..0d289b6d07
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
@@ -0,0 +1,92 @@
+From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sh...@artifex.com>
+Date: Tue, 26 Mar 2024 12:00:14 +0000
+Subject: [PATCH 1/5] Bug #707686
+
+See bug thread for details
+
+In addition to the noted bug; an error path (return from
+gp_file_name_reduce not successful) could elad to a memory leak as we
+did not free 'bufferfull'. Fix that too.
+
+This addresses CVE-2024-33870
+
+CVE: CVE-2024-33870
+
+Upstream-Status: Backport 
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc]
+
+Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
+---
+ base/gpmisc.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index f9a9230..3b6fffa 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+                      const uint         len,
+                      const char        *mode)
+ {
+-    char *buffer, *bufferfull;
++    char *buffer, *bufferfull = NULL;
+     uint rlen;
+     int code = 0;
+     const char *cdirstr = gp_file_name_current();
+@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem,
+             return gs_error_VMerror;
+
+         buffer = bufferfull + prefix_len;
+-        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != 
gp_combine_success)
+-            return gs_error_invalidfileaccess;
++      if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != 
gp_combine_success) {
++           code = gs_note_error(gs_error_invalidfileaccess);
++            goto exit;
++        }
+         buffer[rlen] = 0;
+     }
+     while (1) {
+@@ -1131,9 +1133,33 @@ gp_validate_path_len(const gs_memory_t *mem,
+             code = gs_note_error(gs_error_invalidfileaccess);
+         }
+         if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
++            uint newlen = rlen + cdirstrl + dirsepstrl;
++            char *newbuffer;
++            int code;
++
+             buffer = bufferfull;
+             memcpy(buffer, cdirstr, cdirstrl);
+             memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
++          /* We've prepended a './' or similar for the current working 
directory. We need
++             * to execute file_name_reduce on that, to eliminate any '../' or 
similar from
++             * the (new) full path.
++             */
++            newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, 
newlen + 1, "gp_validate_path");
++            if (newbuffer == NULL) {
++                code = gs_note_error(gs_error_VMerror);
++                goto exit;
++            }
++
++            memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
++            newbuffer[newlen] = 0x00;
++
++            code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, 
&newlen);
++            gs_free_object(mem->thread_safe_memory, newbuffer, 
"gp_validate_path");
++            if (code != gp_combine_success) {
++                code = gs_note_error(gs_error_invalidfileaccess);
++                goto exit;
++            }
++
+             continue;
+         }
+         else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == 
bufferfull) {
+@@ -1152,6 +1178,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+                                            
gs_path_control_flag_is_scratch_file);
+     }
+
++exit:
+     gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
+ #ifdef EACCES
+     if (code == gs_error_invalidfileaccess)
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb 
b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index e99c740685..5fa4da0fb8 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -43,6 +43,7 @@ SRC_URI_BASE = 
"https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2023-38559.patch \
                 file://CVE-2023-43115.patch \
                 file://CVE-2023-46751.patch \
+                file://CVE-2024-33870.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.40.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199983): 
https://lists.openembedded.org/g/openembedded-core/message/199983
Mute This Topic: https://lists.openembedded.org/mt/106364221/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/5] ghostscript: fix CVE-2024-33870

Reply via email to