main/ghostscript: patch CVE-2023-28879

2026-05-09 14:28:23 +02:00 · 2023-04-13 07:57:17 +00:00 · 2023-04-13 07:57:17 +00:00 · 06d4ce551f
commit 06d4ce551f
parent 54883185b7
2 changed files with 55 additions and 1 deletions
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Cameron Banta <cbanta@gmail.com>
 pkgname=ghostscript
 pkgver=9.56.1
-pkgrel=0
+pkgrel=1
 pkgdesc="An interpreter for the PostScript language and for PDF"
 url="https://ghostscript.com/"
 arch="all"
@ -13,11 +13,14 @@ makedepends="autoconf automake libjpeg-turbo-dev libpng-dev expat-dev
 	cups-dev libtool jbig2dec-dev openjpeg-dev"
 subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk"
 source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver//./}/ghostscript-$pkgver.tar.gz
+	CVE-2023-28879.patch
 	ghostscript-system-zlib.patch
 	fix-sprintf.patch
 	"

 # secfixes:
+#   9.56.1-r1:
+#     - CVE-2023-28879
 #   9.54-r1:
 #     - CVE-2021-3781
 #   9.51-r0:
@ -159,6 +162,7 @@ gtk() {

 sha512sums="
 f498384af80654c040635564b8bc9a64c4bb5b0769bb00aade4042bbe9117c482362dc1a1fac72db3ce9487dd5a5bb8fb81b35b360680fe598df33dfbbe79499  ghostscript-9.56.1.tar.gz
+a7943518795d4261d8c4a46aaae57caf7650a25294199f75779e64bb68cf0eb79dba87d4984f324f626ffd8e69629d0c181b4cb50ae29dce4c6cd99a80dbb7d5  CVE-2023-28879.patch
 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482  ghostscript-system-zlib.patch
 beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch
 "
--- a/main/ghostscript/CVE-2023-28879.patch
+++ b/main/ghostscript/CVE-2023-28879.patch
@ -0,0 +1,50 @@
+Patch-Source: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd584de868933b5b60da2e995b3179;hp=afec45259049d3940abb0134c67abf8869123b74#patch1
+--
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Fri, 24 Mar 2023 13:19:57 +0000 (+0000)
+Subject: Graphics library - prevent buffer overrun in (T)BCP encoding
+X-Git-Tag: ghostpdl-10.02.0-test-base-001~6
+X-Git-Url: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=37ed5022cecd584de868933b5b60da2e995b3179;hp=afec45259049d3940abb0134c67abf8869123b74
+
+Graphics library - prevent buffer overrun in (T)BCP encoding
+
+Bug #706494 "Buffer Overflow in s_xBCPE_process"
+
+As described in detail in the bug report, if the write buffer is filled
+to one byte less than full, and we then try to write an escaped
+character, we overrun the buffer because we don't check before
+writing two bytes to it.
+
+This just checks if we have two bytes before starting to write an
+escaped character and exits if we don't (replacing the consumed byte
+of the input).
+
+Up for further discussion; why do we even permit a BCP encoding filter
+anyway ? I think we should remove this, at least when SAFER is true.
+---
+
+diff --git a/base/sbcp.c b/base/sbcp.c
+index 979ae0992..47fc233ec 100644
+--- a/base/sbcp.c
+++ b/base/sbcp.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2021 Artifex Software, Inc.
+/* Copyright (C) 2001-2023 Artifex Software, Inc.
+    All Rights Reserved.
+ 
+    This software is provided AS-IS with no warranty, either express or
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
+         byte ch = *++p;
+ 
+         if (ch <= 31 && escaped[ch]) {
+            /* Make sure we have space to store two characters in the write buffer,
+             * if we don't then exit without consuming the input character, we'll process
+             * that on the next time round.
+             */
+            if (pw->limit - q < 2) {
+                p--;
+                break;
+            }
+             if (p == rlimit) {
+                 p--;
+                 break;