pool/ghostscript
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1078390 from Printing

Browse Source 
Fixes bsc#1210062 for ghostscript and ghostscript-mini (forwarded request 1078389 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/1078390
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=57
This commit is contained in:
Dominique Leuenberger 2023-04-12 10:50:52 +00:00 committed by Git OBS Bridge
commit 65224379c0
3 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CVE-2023-28879.patch Normal file
View File

@ -0,0 +1,17 @@
--- base/sbcp.c.orig 2020-03-19 09:21:42.000000000 +0100
+++ base/sbcp.c 2023-04-03 12:36:26.024927229 +0200
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;

8
ghostscript.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Apr 11 09:09:56 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
- CVE-2023-28879.patch fixes CVE-2023-28879
Buffer Overflow in s_xBCPE_process
cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
(bsc#1210062)
-------------------------------------------------------------------
Mon Jul 18 07:28:54 UTC 2022 - Dirk Müller <dmueller@suse.com>

14
ghostscript.spec
View File

@ -1,7 +1,7 @@
#
# spec file
#
# Copyright (c) 2022 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -47,6 +47,12 @@ Patch100: remove-zlib-h-dependency.patch
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
Patch101: ijs_exec_server_dont_use_sh.patch
# Patch102 CVE-2023-28879.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
Patch102: CVE-2023-28879.patch
BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel
BuildRequires: liblcms2-devel
@ -240,6 +246,12 @@ This package contains the development files for Ghostscript.
# Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
# additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
%patch101 -p1
# Patch102 CVE-2023-28879.patch is
# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
%patch102
# Remove patch backup files to avoid packaging
# cf. https://build.opensuse.org/request/show/581052
rm -f Resource/Init/*.ps.orig