On Tue, 2021-01-19 at 13:45 +0800, Wang Mingyu wrote: References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
Signed-off-by: Wang Mingyu <wan...@cn.fujitsu.com> --- .../ghostscript/CVE-2013-6629.patch | 28 +++++++++++++++++++ .../ghostscript/ghostscript_9.53.3.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch new file mode 100644 index 0000000000..dffd215b4d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch @@ -0,0 +1,28 @@ +Subject: [PATCH] CVE-2013-6629 + +Author: pchelko +--- + jpeg/jdmarker.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/jpeg/jdmarker.c b/jpeg/jdmarker.c +index 3fbe5c1..ea3ef4a 100644 +--- a/jpeg/jdmarker.c ++++ b/jpeg/jdmarker.c +@@ -382,6 +382,13 @@ get_sos (j_decompress_ptr cinfo) + + TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, compptr->component_id, + compptr->dc_tbl_no, compptr->ac_tbl_no); ++ ++ /* This CSi (cc) should differ from the previous CSi */ ++ for (ci = 0; ci < i; ci++) { ++ if (cinfo->cur_comp_info[ci] == compptr) { ++ ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc); ++ } ++ } + } + + /* Collect the additional scan parameters Ss, Se, Ah/Al. */ +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb index cbf60c8c85..24d17da263 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb @@ -29,6 +29,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://do-not-check-local-libpng-source.patch \ file://avoid-host-contamination.patch \ file://mkdir-p.patch \ + file://CVE-2013-6629.patch \ " SRC_URI = "${SRC_URI_BASE} \ Does ghostscript still have an open issue from 2013? I'd like to understand a bit more about the background to this patch and why upstream haven't taken it... Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146982): https://lists.openembedded.org/g/openembedded-core/message/146982 Mute This Topic: https://lists.openembedded.org/mt/79945502/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-