From 06d4ce551fc8d2e14220040772f60acff1813bb7 Mon Sep 17 00:00:00 2001 From: psykose Date: Thu, 13 Apr 2023 07:57:17 +0000 Subject: [PATCH] main/ghostscript: patch CVE-2023-28879 --- main/ghostscript/APKBUILD | 6 +++- main/ghostscript/CVE-2023-28879.patch | 50 +++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 main/ghostscript/CVE-2023-28879.patch diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD index 4678020ddd8..fbdbdf3ec3d 100644 --- a/main/ghostscript/APKBUILD +++ b/main/ghostscript/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Cameron Banta pkgname=ghostscript pkgver=9.56.1 -pkgrel=0 +pkgrel=1 pkgdesc="An interpreter for the PostScript language and for PDF" url="https://ghostscript.com/" arch="all" @@ -13,11 +13,14 @@ makedepends="autoconf automake libjpeg-turbo-dev libpng-dev expat-dev cups-dev libtool jbig2dec-dev openjpeg-dev" subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk" source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver//./}/ghostscript-$pkgver.tar.gz + CVE-2023-28879.patch ghostscript-system-zlib.patch fix-sprintf.patch " # secfixes: +# 9.56.1-r1: +# - CVE-2023-28879 # 9.54-r1: # - CVE-2021-3781 # 9.51-r0: @@ -159,6 +162,7 @@ gtk() { sha512sums=" f498384af80654c040635564b8bc9a64c4bb5b0769bb00aade4042bbe9117c482362dc1a1fac72db3ce9487dd5a5bb8fb81b35b360680fe598df33dfbbe79499 ghostscript-9.56.1.tar.gz +a7943518795d4261d8c4a46aaae57caf7650a25294199f75779e64bb68cf0eb79dba87d4984f324f626ffd8e69629d0c181b4cb50ae29dce4c6cd99a80dbb7d5 CVE-2023-28879.patch 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482 ghostscript-system-zlib.patch beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch " diff --git a/main/ghostscript/CVE-2023-28879.patch b/main/ghostscript/CVE-2023-28879.patch new file mode 100644 index 00000000000..866a4b2fdcd --- /dev/null +++ b/main/ghostscript/CVE-2023-28879.patch @@ -0,0 +1,50 @@ +Patch-Source: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd584de868933b5b60da2e995b3179;hp=afec45259049d3940abb0134c67abf8869123b74#patch1 +-- +From: Ken Sharp +Date: Fri, 24 Mar 2023 13:19:57 +0000 (+0000) +Subject: Graphics library - prevent buffer overrun in (T)BCP encoding +X-Git-Tag: ghostpdl-10.02.0-test-base-001~6 +X-Git-Url: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=37ed5022cecd584de868933b5b60da2e995b3179;hp=afec45259049d3940abb0134c67abf8869123b74 + +Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- + +diff --git a/base/sbcp.c b/base/sbcp.c +index 979ae0992..47fc233ec 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2021 Artifex Software, Inc. ++/* Copyright (C) 2001-2023 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break;