From: Archana Polampalli <archana.polampa...@windriver.com> Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../ghostscript/CVE-2024-33871.patch | 43 +++++++++++++++++++ .../ghostscript/ghostscript_10.02.1.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch new file mode 100644 index 0000000000..abe6384997 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch @@ -0,0 +1,43 @@ +From 7145885041bb52cc23964f0aa2aec1b1c82b5908 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra <zhut...@centrum.cz> +Date: Mon, 22 Apr 2024 13:33:47 +0100 +Subject: [PATCH 4/5] OPVP device - prevent unsafe parameter change with SAFER + +Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library" + +The "Driver" parameter for the "opvp"/"oprp" device specifies the name +of a dynamic library and allows any library to be loaded. + +The patch does not allow changing this parameter after activating path +control. + +This addresses CVE-2024-33871 + +CVE: CVE-2024-33871 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc2396] + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> +--- + contrib/opvp/gdevopvp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index 74200cf..80eb23b 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size ++ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buff[vdps.size] = 0; +-- +2.40.0 diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb index 91285ed2ad..8bda4404cc 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb @@ -29,6 +29,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo file://CVE-2024-33870.patch \ file://CVE-2024-33869-0001.patch \ file://CVE-2024-33869-0002.patch \ + file://CVE-2024-33871.patch \ " SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200102): https://lists.openembedded.org/g/openembedded-core/message/200102 Mute This Topic: https://lists.openembedded.org/mt/106425337/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
