From e235e5412fd1b25d291754b51c697cc83d642ebdeeebb36cd2239a302a8712b4 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Wed, 26 Jul 2023 09:51:46 +0000 Subject: [PATCH] Accepting request 1100802 from home:jsmeix:branches:Printing Security fix CVE-2023-38559 bsc#1213637 for ghostscript and ghostscript-mini OBS-URL: https://build.opensuse.org/request/show/1100802 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=163 --- CVE-2023-38559.patch | 11 +++++++++++ ghostscript.changes | 12 ++++++++++++ ghostscript.spec | 22 ++++++++++++++++++++++ 3 files changed, 45 insertions(+) create mode 100644 CVE-2023-38559.patch diff --git a/CVE-2023-38559.patch b/CVE-2023-38559.patch new file mode 100644 index 0000000..2d16234 --- /dev/null +++ b/CVE-2023-38559.patch @@ -0,0 +1,11 @@ +--- base/gdevdevn.c.orig 2022-04-04 15:48:49.000000000 +0200 ++++ base/gdevdevn.c 2023-07-26 11:31:03.873226054 +0200 +@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, co + byte data = *from; + + from += step; +- if (data != *from || from == end) { ++ if (from >= end || data != *from) { + if (data >= 0xc0) + gp_fputc(0xc1, file); + } else { diff --git a/ghostscript.changes b/ghostscript.changes index f017971..de59921 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed Jul 26 09:35:33 UTC 2023 - Johannes Meixner + +- CVE-2023-38559.patch fixes CVE-2023-38559 + "out of bounds read devn_pcx_write_rle() could result in DoS" + see bsc#1213637 + and https://bugs.ghostscript.com/show_bug.cgi?id=706897 + which is in base/gdevdevn.c the same issue + "ordering in if expression to avoid out-of-bounds access" + as the already fixed CVE-2020-16305 in devices/gdevpcx.c + see https://bugs.ghostscript.com/show_bug.cgi?id=701819 + ------------------------------------------------------------------- Tue Jul 4 06:16:33 UTC 2023 - Johannes Meixner diff --git a/ghostscript.spec b/ghostscript.spec index c4bb788..900f6df 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -65,6 +65,17 @@ Patch102: CVE-2023-28879.patch # and https://bugzilla.suse.com/show_bug.cgi?id=1212711 # "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" Patch103: CVE-2023-36664.patch +# Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1 +# that fixes CVE-2023-38559 +# "out of bounds read devn_pcx_write_rle() could result in DoS" +# see https://bugzilla.suse.com/show_bug.cgi?id=1213637 +# and https://bugs.ghostscript.com/show_bug.cgi?id=706897 +# which is in base/gdevdevn.c the same issue +# "ordering in if expression to avoid out-of-bounds access" +# as the already fixed CVE-2020-16305 in devices/gdevpcx.c +# see https://bugs.ghostscript.com/show_bug.cgi?id=701819 +Patch104: CVE-2023-38559.patch BuildRequires: freetype2-devel BuildRequires: libjpeg-devel BuildRequires: liblcms2-devel @@ -281,6 +292,17 @@ This package contains the development files for Ghostscript. # and https://bugzilla.suse.com/show_bug.cgi?id=1212711 # "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" %patch103 +# Patch104 CVE-2023-38559.patch is for Ghostscript-9.56.1 from +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1 +# that fixes CVE-2023-38559 +# "out of bounds read devn_pcx_write_rle() could result in DoS" +# see https://bugzilla.suse.com/show_bug.cgi?id=1213637 +# and https://bugs.ghostscript.com/show_bug.cgi?id=706897 +# which is in base/gdevdevn.c the same issue +# "ordering in if expression to avoid out-of-bounds access" +# as the already fixed CVE-2020-16305 in devices/gdevpcx.c +# see https://bugs.ghostscript.com/show_bug.cgi?id=701819 +%patch104 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig