ghostscript: fix CVE-2024-33869

(From OE-Core rev: d24e9c6c1016fbe8522f647aca76d93ab9cc5a41) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-05-30 12:29:55 +00:00 · 2024-05-29 05:42:23 +00:00
parent 3a3c1f7dc6
commit 235050fbfa
3 changed files with 93 additions and 0 deletions
@@ -0,0 +1,39 @@
 From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Tue, 26 Mar 2024 12:02:57 +0000
 Subject: [PATCH 2/5] Bug #707691
 Part 1; when stripping a potential Current Working Dirctory specifier
 from a path, make certain it really is a CWD, and not simply large
 ebough to be a CWD.
 Reasons are in the bug thread, this is not (IMO) serious.
 This is part of the fix for CVE-2024-33869
 CVE: CVE-2024-33869
 Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973]
 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
 ---
 base/gpmisc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/base/gpmisc.c b/base/gpmisc.c
 index c4a69b0..1d4d5d8 100644
 --- a/base/gpmisc.c
 +++ b/base/gpmisc.c
@@ -1164,8 +1164,8 @@ gp_validate_path_len(const gs_memory_t *mem,
             continue;
         }
 -        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
 -            buffer = bufferfull + cdirstrl + dirsepstrl;
 +        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
 +            && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
             continue;
         }
         break;
 --
 2.40.0
@@ -0,0 +1,52 @@
 From f5336e5b4154f515ac83bc5b9eba94302e6618d4 Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Tue, 26 Mar 2024 12:07:18 +0000
 Subject: [PATCH 3/5] Bug 707691 part 2
 See bug thread for details
 This is the second part of the fix for CVE-2024-33869
 CVE: CVE-2024-33869
 Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83]
 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
 ---
 base/gpmisc.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 diff --git a/base/gpmisc.c b/base/gpmisc.c
 index 1d4d5d8..b0d5c71 100644
 --- a/base/gpmisc.c
 +++ b/base/gpmisc.c
@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem,
         rlen = len;
     }
     else {
 +        char *test = (char *)path, *test1;
 +        uint tlen = len, slen;
 +
 +        /* Look for any pipe (%pipe% or '|' specifications between path separators
 +         * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
 +         */
 +        while (tlen > 0) {
 +            if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
 +                code = gs_note_error(gs_error_invalidfileaccess);
 +                goto exit;
 +            }
 +            test1 = test;
 +            slen = search_separator((const char **)&test, path + len, test1, 1);
 +            if(slen == 0)
 +                break;
 +            test += slen;
 +            tlen -= test - test1;
 +            if (test >= path + len)
 +                break;
 +        }
 +
         rlen = len+1;
         bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
         if (bufferfull == NULL)
 --
 2.40.0
@@ -27,6 +27,8 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
           file://avoid-host-contamination.patch \
           file://configure.ac-add-option-to-explicitly-disable-neon.patch \
           file://CVE-2024-33870.patch \
           file://CVE-2024-33869-0001.patch \
           file://CVE-2024-33869-0002.patch \
           "
 SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"